Secure testing team - Sep 2008 - Bug#497452: nfdump: vulnerable to symlink attacks

Package: nfdump
Version: 1.5.7-4
Severity: grave
Tags: security

Hi,

nfdump in its default installation starts nfcapd as a daemon that
creates a file in /var/tmp/nfcapd.current.<pid> as well as 
/var/tmp/nfcapd.<yyyymmddhhmmss>. These files are vulnerable to symlink
attacks which is especially worse because nfcapd runs as root (see
#497446) and thus can overwrite any file on the system.

I think the easiest way would be to fix #497446 and let nfcapd store its
files in /var/lib/nfdump (-l command line switch) or similar instead of
world-writeable /var/tmp.

Note that i only tried to overwrite files with nfcapd.current.<pid> but
i believe the same bug exists for the nfcapd.<date> variant.

Regards,
Andreas



-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (500,
''testing'')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages nfdump depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  librrd4                       1.3.1-3    Time-series data storage and displ
ii  lsb-base                      3.2-12     Linux Standard Base 3.2 init scrip

nfdump recommends no packages.

-- no debconf information