security hole in /etc/cron.daily/apport
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Apport |
Fix Released
|
High
|
Martin Pitt | ||
| apport (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Gutsy |
Won't Fix
|
Low
|
Jamie Strandboge | ||
| Hardy |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Intrepid |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Jaunty |
Fix Released
|
Low
|
Jamie Strandboge | ||
| apport (openSUSE) |
Fix Committed
|
Undecided
|
Jan Blunck | ||
Bug Description
That script has:
[ -d /var/crash ] || exit 0
find /var/crash -mindepth 1 -mtime +7 -print0 | xargs -0 rm -f
find /var/crash -mindepth 1 -empty -print0 | xargs -0 rm -f
/var/crash is world writable, so one can create directories in there.
One can for instance create a /var/crash/
I beleive -maxdepth was intended instead of -mindepth. Note that -empty, -mindepth and -maxdepth are not standard (GNU extension also found in some BSD finds).
Maybe a better way to write it:
cd /var/crash &&
find . ! -name . -prune \( -type f -mtime +7 -o -size 0 \) -exec rm -f {} +
(the + above is standard but implies a recent enough version of GNU find)
| Changed in apport (Ubuntu Hardy): | |
| importance: | Undecided → Low |
| assignee: | Ubuntu Security Team (ubuntu-security) → Jamie Strandboge (jdstrand) |
| Changed in apport (Ubuntu Intrepid): | |
| importance: | Undecided → Low |
| assignee: | Ubuntu Security Team (ubuntu-security) → Jamie Strandboge (jdstrand) |
| Changed in apport (Ubuntu Gutsy): | |
| importance: | Undecided → Low |
| assignee: | Ubuntu Security Team (ubuntu-security) → Jamie Strandboge (jdstrand) |
| Changed in apport (openSUSE): | |
| status: | New → Confirmed |

2009-04-07 13:33:01 -0000, Stephane Chazelas:
[...]
> Maybe a better way to write it:
>
> cd /var/crash &&
> find . ! -name . -prune \( -type f -mtime +7 -o -size 0 \) -exec rm -f {} +
[...]
Sorry, misplaced braces above:
find . ! -name . -prune -type f \( -mtime +7 -o -size 0 \) -exec rm -f {} +
Best regards,
Stephane