On 2008-11-28 19:49 +0100, Frank Küster wrote:
> Sven Joachim <[EMAIL PROTECTED]> wrote:
>> Auctex reuses an old logfile name in /tmp for logs whenever an emacsen
>> is installed/upgraded. Since /tmp is cleaned regularly, an attacker may
>> replace it with a symlink after the file has been deleted:
>>
>> ,----
>> | % debconf-show auctex
>> | debconf: DbDriver "passwords" warning: could not open
>> /var/cache/debconf/passwords.dat: Permission denied
>> | * auctex/doauto: Background
>> | * auctex/default: true
>> | auctex/logfile: /tmp/update-auctex-elisp.pykjkoG
>> | auctex/alreadydefault:
>> | * auctex/defaultchanged:
>> | auctex/doautofg: File
> You proved it, but I don't understand it. From
> /usr/lib/emacsen-common/packages/install/auctex:
>
> case "${_db_doautofg}" in
> (Console)
> rm -f ${_db_logfile}
> /usr/sbin//update-auctex-elisp ${FLAVOR} ;;
> (File)
> echo >&2 -n "update-auctex-elisp: "
> echo >&2 "Further output will appear in: ${_db_logfile}."
> echo >&2 -n "auctex: "
> echo >&2 -n "Waiting for update-auctex-elisp to terminate... "
> /usr/sbin//update-auctex-elisp ${FLAVOR} >> ${_db_logfile} 2>&1
>
> So the file is removed before it is written to, and that should be safe,
> shouldn't it?
No, that code path is not entered because ${_db_doautofg} != Console
(and ${_db_doauto} != Foreground), see the debconf values:
auctex/doauto: Background
auctex/doautofg: File
Thus, the code actually run is
(Background)
/usr/sbin//update-auctex-elisp ${FLAVOR} >> ${_db_logfile} 2>&1 3>&- &
echo >&2 -n "update-auctex-elisp[${!}]: "
echo >&2 "Further output will appear in: ${_db_logfile}." ;;
I guess "rm -f ${_db_logfile}" needs to be added to this case as well.
Sven
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
