vulnerability: rewrite arbitrary user file
Bug #607264 reported by
Vasily Kulikov
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| aptitude (Debian) |
Fix Released
|
Unknown
|
|||
| aptitude (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
Binary package hint: aptitude
Hi, I've just discovered that aptitude is vulnerable to rewriting any user (maybe root) file:
bool hier_editor:
...
if(
{
...
cfgfile = "/tmp/function_
}
...
save_
Here attacker can create link to any file in the system that user may write to. If process has no $HOME set, this file would be overwritten.
It is rare that $HOME is null, but it such rare case it is vulnerable.
Thanks.
Revision history for this message
| Kees Cook (kees) wrote | #1 |
| Changed in aptitude (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Low |
| visibility: | private → public |
| Changed in aptitude (Debian): | |
| status: | Unknown → New |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in aptitude (Ubuntu): | |
| status: | Confirmed → Triaged |
Revision history for this message
| Brian Murray (brian-murray) wrote | #3 |
| Changed in aptitude (Ubuntu): | |
| status: | Triaged → Fix Released |
| tags: | added: udd-find |
| Changed in aptitude (Debian): | |
| status: | New → Fix Released |
To post a comment you must log in.
Thanks for taking the time to report this bug and helping to make Ubuntu better.
The latest release of Ubuntu is not vulnerable to symlink race attacks, but earlier releases will need fixing. https:/
Since this code is extremely hard to hit, I'm setting the priority to "Low".