Insecure creation of /tmp/screen-exchange (symlink attack)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
screen |
Unknown
|
Unknown
|
|||
screen (Debian) |
Fix Released
|
Unknown
|
|||
screen (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.
$ lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04
2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.
$ apt-cache policy screen
screen:
Installed: 4.0.3-7ubuntu1
Candidate: 4.0.3-7ubuntu1
Version table:
*** 4.0.3-7ubuntu1 0
500 http://
100 /var/lib/
3) What you expected to happen
/tmp/screen-
(a) The file should be readable and writable only to the owner (fix for #433338 didn't really fix it, and instead changed the race condition into no-race, making the issue worse)
(b) Symlink attack should be impossible
4) What happened instead
The code responsible for the error does: open("/
(a) the file is created with default permissions, depending on the user umask value, which means world-readable under default install settings
(b) Symlink attack is possible. There used to be a race condition, but it seems it was removed when #433338 was closed, as the fix didn't really fix the problem. Now there is no race condition, and any pre-existing symbolic link will result in a file overwrite/creation.
I have created a patch that fixes the problem. The changelog shows three previous patches related to /tmp/screen-
I have tested the patched version, and it works under all conditions. The patch applies with an offset to current Debian unstable version (4.0.3-11), and I can only presume it would work.
Changed in screen (Ubuntu): | |
importance: | Undecided → Low |
status: | New → Confirmed |
Changed in screen (Debian): | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in screen (Debian): | |
status: | Unknown → Fix Released |
tags: | added: patch |
I have reported this to upstream, but Launchpad can not add the bug URL: <http:// savannah. gnu.org/ bugs/index. php?25296>.