To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=93119 Issue #|93119 Summary|echo to predictable path causes possibility of symlink | attack Component|gsl Version|OOo 2.4.1 Platform|All URL|http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=49636 |1 OS/Version|Unix, X11 Status|NEW Status whiteboard| Keywords| Resolution| Issue type|DEFECT Priority|P2 Subcomponent|code Assigned to|obr Reported by|rene
------- Additional comments from [EMAIL PROTECTED] Mon Aug 25 20:53:09 +0000 2008 ------- [ filing here, it's public in Debians BTS anyway ] See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496361. senddoc in 2.4.1 (didn't check shortly earlier versions, 2.0.4 is not affected and 3.0 isn't either, but given that 2.4.1 is a bugfix release for 2.4.0, I bet at least that is affected, too) coontains left-over debugging echos: [...] echo "$@" > /tmp/log.obr.$$ echo "$#" >> /tmp/log.obr.$$ [...] $$ in bash is the PID of the current shell. Now imagine an attacker (A) (which admittedly needs to have an account on the machine, so this is a local "exploit") does a symlink from /tmp/log.obr.<pid> to <whatever_file>. whatever_file being owned by an other user (B). The echo then overwrites all of the contents of that file with the log - effectvely making A being able to destroy Bs file (which me might not have permissions on) because OOo/senddoc is ran by B. $$ is guessable from A by just looking at ps' output and picking bashs running for B and creating symlinks for them. --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
