Predictable /tmp filenames used in SourcesHandler
Bug #1166323 reported by
Clint Byrum
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
heat-cfntools |
Fix Released
|
Critical
|
Clint Byrum |
Bug Description
The use of /tmp without randomization in filename is a generally bad security practice. If the host has a non-root malicious user present they can use a local DNS cache poison and predict these filenames and create their own symlink to a root owned file such as /etc/shadow, thus gaining root access. This is a theoretical vulnerability.
Changed in heat-cfntools: | |
assignee: | nobody → Clint Byrum (clint-fewbar) |
Changed in heat-cfntools: | |
status: | New → In Progress |
information type: | Private Security → Public Security |
Changed in heat-cfntools: | |
status: | In Progress → Fix Committed |
Changed in heat-cfntools: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Attaching a patch, instead of using gerrit, until it is deemed safe to make this bug report public.