Insecure xfs start/stop script

Binary package hint: xfs

The xfs start/stop script /etc/init.d/xfs is insecure. There is a problematic function set_up_socket_dir in this script:

SOCKET_DIR=/tmp/.font-unix
[...]
set_up_socket_dir () {
  echo -n "Setting up X font server socket directory $SOCKET_DIR..."
  if [ -e $SOCKET_DIR ] && ! [ -d $SOCKET_DIR ]; then
    mv $SOCKET_DIR $SOCKET_DIR.$$
  fi
  if ! [ -d $SOCKET_DIR ]; then
    mkdir -m 1777 $SOCKET_DIR || :
    do_restorecon $SOCKET_DIR || :
  fi
  echo "done."
}

This function moves /tmp/.font-unix to /tmp/.font-unix.$$. Unfortunately $$ is predictable and there is no test, that /tmp/.font-unix.$$ does not already exist. So especially symlink attacks are possible. The attack is only possible, if /tmp/.font-unix does not already exist. Then an attacker could create an /tmp/.font-unix file (not directory) and create some symlinks in the form /tmp/.font-unix.XXXX (where XXXX are possible PID numbers). The start script than moves /tmp/.font-unix to an symlinked directory /tmp/.font-unix.XXXX.

I suggest to delete the contents of /tmp/.font-unix is this file is not a directory. For instance "rm -rf /tmp/.font-unix" should be ok ("rm" from coreutils should be safe). A possible fix is also described here: https://bugzilla.novell.com/show_bug.cgi?id=408006

The problem was found in Ubuntu 8.04 (xfs-1:1.0.5-2). An exploit idea is attached.
[lspci]
00:00.0 Host bridge [0600]: ATI Technologies Inc RS200/RS200M AGP Bridge [IGP 340M] [1002:cbb2] (rev 02)
     Subsystem: Sony Corporation Device [104d:8175]
01:05.0 VGA compatible controller [0300]: ATI Technologies Inc M9+ 5C61 [Radeon Mobility 9200 (AGP)] [1002:5c61] (rev 01)
     Subsystem: Sony Corporation Device [104d:8175]