Insecure use of temp files

Binary package hint: flash-kernel

        Hi folks

While reviewing a recent patch in Debian #596889, I noticed that flash-kernel already had other instances of this apparently insecure construct:

> + tmp=$(tempfile)
> + cat $kfile >> $tmp
> + mkimage -A arm -O linux -T kernel -C none -a 0x60008000 \
> + -e 0x60008000 -n "Linaro Kernel" -d $tmp $tmp.uboot \
> + >&2 1>/dev/null

mkimage takes the kernel from $tmp and writes it to its first arg, $tmp.uboot. There is a window where an attacker can create a tmp.uboot symlink pointing to a file of his choice making this a probably low priority local denial of service vulnerability. Note that flash-kernel is called for each kernel upgrade and runs as root to install the new kernel.

I checked flash-kernel 1.6 and it doesn't call mkimage but is affected by a different type of tempfile abuse:

                tmp=$(tempfile)
                printf "Flashing kernel: " >&2
                (
                        sercomm_header $(expr $kfilesize + 16)
                        dd if=$kfile of=$tmp bs=$ksize1 count=1 2>/dev/null
                        nslu2_swap $tmp
                        sercomm_header 131072
                        dd if=$kfile of=$tmp ibs=$ksize1 skip=1 2>/dev/null
                        nslu2_swap $tmp
                        rm -f $tmp
                ) > "$kmtd" || error "failed."
                echo "done." >&2
                printf "Flashing initramfs: " >&2
                dd if=$ifile of=$tmp ibs=$(($imtdsize - 16)) conv=sync 2>/dev/null

Note how the tempfile is created, truncated by dd, truncated by dd a second time, removed, and then created again in this last dd call I quoted above.

   Cheers,