vulnerable to symlink attack via insecure /tmp directory or file

Bug #820497 reported by Dave Walker on 2011-08-03
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
atop (Debian)
Fix Released
Unknown
atop (Ubuntu)
Medium
Unassigned
Maverick
Undecided
Unassigned

Bug Description

Duplicated from the Debian bug:
Hi,

I've just noticed that atop keeps the runtime data in /tmp/atop* directories
or files (mentioned on man page too). I think it was established from a
discussion on debian-devel@l.d.o that this is potentially a security
vulnerability. Probably it should keep its temporary runtime data in its own
directory under /var/run (or /run for next release).

Related branches

CVE References

Patched for natty and oneiric.

Tested and confirmed that moving the directories works.

Changed in atop (Ubuntu):
assignee: nobody → Ben Howard (utlemming)
Changed in atop (Ubuntu):
status: New → In Progress
Changed in atop (Ubuntu):
importance: Undecided → Medium
Changed in atop (Debian):
status: Unknown → Fix Released
Changed in atop (Ubuntu):
status: In Progress → Fix Released
Zubin Mithra (zubin-mithra) wrote :

Please find attached, debdiff for 10.10 Maverick.

Changed in atop (Ubuntu Maverick):
status: New → Confirmed
Tyler Hicks (tyhicks) wrote :

Hi Zubin - Thanks for the debdiff! A few comments:

1) What did you base your patch off of? The patch in the Debian BTS is slightly different. Your version seems to make a few more changes.

2) The changelog is not formatted as specified in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the debdiff is updated.

Changed in atop (Ubuntu Maverick):
assignee: nobody → Zubin Mithra (zubin-mithra)
status: Confirmed → Incomplete
Zubin Mithra (zubin-mithra) wrote :

Hi! The changes I had made were based on a patch that was sent to the mailing list thread at [1], aand here's a link to the patch[2].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=24;filename=nmudiff.atop;att=1;bug=622794

Zubin Mithra (zubin-mithra) wrote :

Hi, I'm uploading a second debdiff file with changes as in the above link and a corrected changelog.

Changed in atop (Ubuntu Maverick):
status: Incomplete → New
Tyler Hicks (tyhicks) wrote :

Hi Zubin - The changelog looks pretty good, but now I see that you are using the exact patch from Debian. I thought that you were intentionally diverging from the Debian patch in your first debdiff.

Since Lucid and Maverick shipped version 1.23-1 and Squeeze has fixed the issue in 1.23-1+squeeze1, it is best for us to do a security fake sync[1] from the updated Debian Squeeze package. I hope that makes sense and I'm sorry for the earlier confusion.

[1]: https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Sync_request_bugs

Tyler Hicks (tyhicks) wrote :

This bug was fixed in the package atop - 1.23-1+squeeze1build0.10.10.1

---------------
atop (1.23-1+squeeze1build0.10.10.1) maverick-security; urgency=low

  * fake sync from Debian

atop (1.23-1+squeeze1) stable; urgency=high

  * Non-maintainer upload.
  * Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and
    acctproc.c (Closes: #622794)
 -- Tyler Hicks <email address hidden> Fri, 10 Feb 2012 13:01:13 -0600

Changed in atop (Ubuntu Maverick):
assignee: Zubin Mithra (zubin-mithra) → nobody
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.