vulnerable to symlink attack via insecure /tmp directory or file
Bug #820497 reported by
Dave Walker
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
atop (Debian) |
Fix Released
|
Unknown
|
|||
atop (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Duplicated from the Debian bug:
Hi,
I've just noticed that atop keeps the runtime data in /tmp/atop* directories
or files (mentioned on man page too). I think it was established from a
discussion on debian-devel@l.d.o that this is potentially a security
vulnerability. Probably it should keep its temporary runtime data in its own
directory under /var/run (or /run for next release).
Related branches
lp:~darkmuggle-deactivatedaccount/ubuntu/oneiric/atop/oneiric
On hold
for merging
into
lp:ubuntu/oneiric/atop
- Clint Byrum (community): Needs Fixing
- Dave Walker (community): Needs Fixing
-
Diff: 157 lines (+26/-19)9 files modified45atoppm (+1/-1)
acctproc.c (+2/-2)
atop.daily (+1/-1)
atop.init (+1/-1)
debian/changelog (+7/-0)
debian/control (+3/-3)
psaccs_atop (+1/-1)
psaccu_atop (+1/-1)
rawlog.c (+9/-9)
CVE References
Changed in atop (Ubuntu): | |
status: | New → In Progress |
Changed in atop (Ubuntu): | |
importance: | Undecided → Medium |
Changed in atop (Debian): | |
status: | Unknown → Fix Released |
Changed in atop (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in atop (Ubuntu Maverick): | |
status: | New → Confirmed |
To post a comment you must log in.
Patched for natty and oneiric.
Tested and confirmed that moving the directories works.