Sven Joachim <[EMAIL PROTECTED]> wrote:
> Package: auctex
> Version: 11.83-7.2
> Severity: grave
> Tags: security
>
> Auctex reuses an old logfile name in /tmp for logs whenever an emacsen
> is installed/upgraded. Since /tmp is cleaned regularly, an attacker may
> replace it with a symlink after the file has been deleted:
>
> ,----
> | % debconf-show auctex
> | debconf: DbDriver "passwords" warning: could not open
> /var/cache/debconf/passwords.dat: Permission denied
> | * auctex/doauto: Background
> | * auctex/default: true
> | auctex/logfile: /tmp/update-auctex-elisp.pykjkoG
> | auctex/alreadydefault:
> | * auctex/defaultchanged:
> | auctex/doautofg: File
> | % ln -s /etc/foo /tmp/update-auctex-elisp.pykjkoG
> | ls -l /etc/foo
> | ls: cannot access /etc/foo: No such file or directory
> | % sudo aptitude reinstall emacs22-gtk
> | [...]
> | % ls -l /etc/foo
> | -rw-r--r-- 1 root root 211129 Nov 26 13:58 /etc/foo
> | % head /etc/foo
> | Applying style hooks...
> | Applying style hooks... done
> | Sorting environment...
> | Removing duplicates...
> | Removing duplicates... done
> | Applying style hooks...
> | Applying style hooks... done
> | Parsing bbox.sty...
> | Parsing bbox.sty... done
> | Applying style hooks...
> | %
> `----
You proved it, but I don't understand it. From
/usr/lib/emacsen-common/packages/install/auctex:
case "${_db_doautofg}" in
(Console)
rm -f ${_db_logfile}
/usr/sbin//update-auctex-elisp ${FLAVOR} ;;
(File)
echo >&2 -n "update-auctex-elisp: "
echo >&2 "Further output will appear in: ${_db_logfile}."
echo >&2 -n "auctex: "
echo >&2 -n "Waiting for update-auctex-elisp to terminate... "
/usr/sbin//update-auctex-elisp ${FLAVOR} >> ${_db_logfile} 2>&1
So the file is removed before it is written to, and that should be safe,
shouldn't it?
Regards, Frank
--
Frank Küster
Debian Developer (TeXLive)
ADFC Miltenberg
B90/Grüne KV Miltenberg
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
