Secure testing team - Sep 2008 - Bug#500181: chillispot: symlink attack can be launched via postinst

Package: chillispot
Version: 1.0-9
Severity: grave
Tags: security

From postinst:

8<------------------------------------------>8
# config file
CONFIGFILE=/etc/chilli.conf
# upstream config file
TEMPCONFIG=/tmp/chilli.conf
...
# unpack upstream config
zcat /usr/share/doc/chillispot/chilli.conf.gz > $TEMPCONFIG
...
         echo "NOTE:"
         echo "You have choosed to edit configuration by hand.";
         echo "A default configuration will be available on
''/etc/chilli.conf''";

         if [ ! -e $CONFIGFILE ]; then
                  mv $TEMPCONFIG $CONFIGFILE
         else
                  ucf $TEMPCONFIG $CONFIGFILE
         fi
else
...
        -e "s/^(#)?uamhomepage.*/uamhomepage\ $uam_homepage/" \
        -e "s/^(#)?uamsecret.*/uamsecret\ $uam_secret/" \
                  < $TEMPCONFIG > $tempfile

         if [ ! -e $CONFIGFILE ]; then
                  mv $tempfile $CONFIGFILE
         else
                  ucf $tempfile $CONFIGFILE
         fi
8<------------------------------------------>8


Putting a symlink in place can help nuking another file''s content, or
even modifying the program''s config file to the attacker''s
will.

Cheers,
-- 
Atomo64 - Raphael

Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080925/4eb79624/attachment.pgp