Insecure use of temp files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
flash-kernel (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Won't Fix
|
Medium
|
Unassigned | ||
Natty |
Won't Fix
|
Medium
|
Unassigned | ||
Oneiric |
Won't Fix
|
Medium
|
Unassigned | ||
Precise |
Won't Fix
|
Medium
|
Unassigned | ||
Quantal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: flash-kernel
Hi folks
While reviewing a recent patch in Debian #596889, I noticed that flash-kernel already had other instances of this apparently insecure construct:
> + tmp=$(tempfile)
> + cat $kfile >> $tmp
> + mkimage -A arm -O linux -T kernel -C none -a 0x60008000 \
> + -e 0x60008000 -n "Linaro Kernel" -d $tmp $tmp.uboot \
> + >&2 1>/dev/null
mkimage takes the kernel from $tmp and writes it to its first arg, $tmp.uboot. There is a window where an attacker can create a tmp.uboot symlink pointing to a file of his choice making this a probably low priority local denial of service vulnerability. Note that flash-kernel is called for each kernel upgrade and runs as root to install the new kernel.
I checked flash-kernel 1.6 and it doesn't call mkimage but is affected by a different type of tempfile abuse:
(
) > "$kmtd" || error "failed."
dd if=$ifile of=$tmp ibs=$(($imtdsize - 16)) conv=sync 2>/dev/null
Note how the tempfile is created, truncated by dd, truncated by dd a second time, removed, and then created again in this last dd call I quoted above.
Cheers,
Changed in flash-kernel (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in flash-kernel (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in flash-kernel (Ubuntu Natty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in flash-kernel (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in flash-kernel (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in flash-kernel (Ubuntu Lucid): | |
status: | Confirmed → Won't Fix |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
Changed in flash-kernel (Ubuntu Natty): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
Changed in flash-kernel (Ubuntu Oneiric): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
Changed in flash-kernel (Ubuntu Precise): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
This was fixed in 2.33 in Debian, but still not in Ubuntu. Since that is public, I am marking this bug as public.