https://sourceware.org/bugzilla/show_bug.cgi?id=26945
Bug ID: 26945
Summary: Unsafe chown+chmod in smart_rename, possibly elsewhere
Product: binutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: bugdal at aerifal dot cx
Target Milestone: ---
At least objcopy and perhaps other utilities generate a temp file safely with
mkstemp then rename it to atomically replace the original, but the smart_rename
function (binutils/rename.c) used to do this then performs chown and chmod on
the target pathname rather than fchown/fchmod on the file. This is subject to
all the classic symlink race attacks and can be used to get root to chown or
chmod arbitrary files. In a worst case, with multiple racing file replacements,
it can be used to chmod arbitrary root-owned files suid.
This is only an issue if the file being operated on is in a directory writable
by the attacker. However, the whole point of the ownership/permissions
restoration logic seems to be for the case where root is operating on other
users' files, and it seems likely that the directory will also be user-owned.
I'm reporting this through public issue rather than security because I don't
think there are direct ways to exploit it programmatically in a normal
environment. There may be when the affected tools are used in automated scripts
acting on user-owned files, though.
--
You are receiving this mail because:
You are on the CC list for the bug.
