Ubuntu
sabre package

[CVE-2008-4406/4407] - Sabre - local users to cause a denial of service andlocal users to delete or overwrite arbitrary files via a symlink attack

  1. Intrepid (8.10)
  2. Bug #283446
Bug #283446 reported by Stefan Lesicnik
256
Affects Status Importance Assigned to Milestone
sabre (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Undecided
Stefan Lesicnik
Gutsy
Fix Released
Undecided
Stefan Lesicnik
Hardy
Fix Released
Undecided
Stefan Lesicnik
Intrepid
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: sabre

A certain Debian patch to the run scripts for sabre (aka xsabre) 0.2.4b
allows local users to delete or overwrite arbitrary files via a symlink
attack on unspecified .tmp files.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4406

XRunSabre in sabre (aka xsabre) 0.2.4b relies on the ability to create
/tmp/sabre.log, which allows local users to cause a denial of service
(application unavailability) by creating a /tmp/sabre.log file that cannot
be overwritten.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4407

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Two separate CVE issues exist both with regards to the creation of .tmp files.

The first is a local users denial of service, where one user starts the application and the file is created and not removed. Subsequent different users cannot start the application as this file exists and cannot be removed.

The second is a symlink attack to possibly delete or overwrite arbitrary files.

cat /etc/fstab
##UNCONFIGURED BASE SYSTEM
ln -s /etc/fstab /tmp/sabre.log

cat /etc/fstab
Not running in a graphics capable console,
and unable to find one.

The upstream provided patch uses mktemp to generate random temporary files.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Gutsy & Hardy use the same version.

Testing with Hardy chroot we can now see sabre uses real temp files

-rw------- 1 root root 67 Oct 15 19:52 sabre.H26051
-rw------- 1 root root 0 Oct 15 19:52 sabre.U26052
-rw------- 1 root root 3 Oct 15 19:52 sabre.h26050

After exiting all log files are successfully deleted.

Stefan Lesicnik (stefanlsd)
Changed in sabre:
status: New → Fix Released
assignee: nobody → stefanlsd
status: New → In Progress
assignee: nobody → stefanlsd
status: New → In Progress
assignee: nobody → stefanlsd
status: New → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks Stefan! The gutsy and hardy debdiffs are malformed. Can you clean them up, test, upload and mark the bug back to In Progress?

Changed in sabre:
status: In Progress → Incomplete
status: In Progress → Incomplete
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Sorry for the inconvenience. Created patches with quilt, built and tested. Should hopefully be better.

Changed in sabre:
status: Incomplete → In Progress
status: Incomplete → In Progress
Jamie Strandboge (jdstrand)
Changed in sabre:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand)
Changed in sabre:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.