Package: cplay Severity: normal Tags: security CPLAY_TMP defaults to being in /tmp, and then the code does these checks:
1.
if not os.path.exists(CPLAY_TMP):
try:
os.mkdir(CPLAY_TMP, 0700)
except IOError:
return
This will succeed if CPLAY_TMP is a symlink to an existing directory. Say,
to the home directory of the user running cplay.
2.
try:
os.chdir(CPLAY_TMP)
except OSError:
return
if os.stat(".")[stat.ST_UID] != os.getuid():
return
This will also succed if the symlink points to some directory owned by
the user running cplay.
3.
if os.path.exists(CONTROL_FIFO):
if os.stat(CONTROL_FIFO)[stat.ST_MODE] & stat.S_IWOTH != 0:
return
else:
So the CONTROL_FIFO in the directory cannot be writable by others. At this
point in the program, anyway.
4.
try:
self.fd = open(CONTROL_FIFO, "rb+", 0)
Finally if all this succeeds, we open the fifo. Bug #255768 describes some
of the potential problems if other users can write to the fifo.
These checks look sufficient, until you consider that a user might own a
directory that an attacker has write permissions to. So we need two cplay
runs and some careful timing for a race:
a. Attacker links CPLAY_TMP to the directory that is owned by the victim
and to which attacker also has write access.
b. Victim runs cplay, it passes checks 1. and 2 and creates a new
CPLAY_TMP/CONTROL_FIFO.
d. Later, victim runs cplay again, it passes checks 1-3 as the file
exists in a directory with the right owner and has the right perms.
e. Attacker races cplay to delete the CONTROL_FIFO before it gets to 4,
replacing it with a fifo they've created that they have write access to.
f. Attacker uses techniques in bug #255768 to exploit/DOS cplay.
--
see shy jo
signature.asc
Description: Digital signature
