Secure testing team - Nov 2008 - Bug#504149: virtualbox-ose: symlink vulnerability due to bad /tmp handling

Package: virtualbox-ose
Version: 1.6.6-dfsg-2
Severity: serious
Tags: security

By creating a symlink /tmp/.vbox-$USER-ipc/lock an attacker can
overwrite any file owned by any user who starts virtualbox. Starting and
then exiting virtualbox is enough to trigger this, you don''t need to
start any virtual machines.

In addition to this, it is a really stupid idea to put dotfiles in /tmp
and this should be fixed too.

In addition to this, virtualbox does not clean up /tmp/.vbox-$USER-ipc/
when exiting, which is just rude.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (700, ''testing''), (600,
''unstable''), (550, ''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages virtualbox-ose depends on:
ii  adduser                    3.110         add and remove users and groups
ii  debconf [debconf-2.0]      1.5.22        Debian configuration management sy
ii  libc6                      2.7-15        GNU C Library: Shared libraries
ii  libgcc1                    1:4.3.2-1     GCC support library
ii  libgl1-mesa-glx [libgl1]   7.0.3-6       A free implementation of the OpenG
ii  libglib2.0-0               2.16.6-1      The GLib library of C routines
ii  libidl0                    0.8.10-0.1    library for parsing CORBA IDL file
ii  libqt3-mt                  3:3.3.8b-5    Qt GUI Library (Threaded runtime v
ii  libsdl1.2debian            1.2.13-2      Simple DirectMedia Layer
ii  libstdc++6                 4.3.2-1       The GNU Standard C++ Library v3
ii  libx11-6                   2:1.1.5-2     X11 client-side library
ii  libxcursor1                1:1.1.9-1     X cursor management library
ii  libxml2                    2.6.32.dfsg-4 GNOME XML library
ii  libxslt1.1                 1.1.24-2      XSLT processing library - runtime 
ii  libxt6                     1:1.0.5-3     X11 toolkit intrinsics library

Versions of packages virtualbox-ose recommends:
ii  virtualbox-ose-mod 1.6.6-dfsg-2+2.6.26-8 VirtualBox modules for Linux (kern

Versions of packages virtualbox-ose suggests:
ii  bridge-utils                1.4-5        Utilities for configuring the Linu
ii  virtualbox-ose-source       1.6.6-dfsg-2 x86 virtualization solution - kern

-- debconf information:
* virtualbox-ose/upstream_version_change: true

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081101/7c9e37a4/attachment.pgp