thr3ads.net - Secure testing team - [Secure-testing-team] Bug#650500: unsafe use of /tmp [Nov 2011]

If this information is useful, please help other people find it:
Share via:

Ansgar Burchardt

2011-Nov-30 09:36 UTC

[Secure-testing-team] Bug#650500: unsafe use of /tmp

Package: libproc-processtable-perl
Version: 0.45-1
Severity: important
Tags: security

Proc::ProcessTable can cache TTY information (not enabled by default).
For this it uses the file /tmp/TTYDEVS.

If caching is enabled, there is a race condition that allows to
overwrite arbitrary files in ProcessTable.pm:

102       if( -r $TTYDEVSFILE )
103       {
104         $_ = Storable::retrieve($TTYDEVSFILE);
  [...]
107       else
108       {
  [...]
112         Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);

If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
link points to is overwritten.  Alternatively wrong information can be
provided.

The relevant code path can be reached with

  perl -MProc::ProcessTable -e ''my $t =
Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1);
$t->table;''

Ansgar

Secure testing team - Nov 2011 - Bug#650500: unsafe use of /tmp

[Secure-testing-team] Bug#650500: unsafe use of /tmp