Control: tags -1 moreinfo On 05.10.2014 21:03, Josh Triplett wrote: > Package: powermanga > Version: 0.93-1 > Severity: grave > Tags: security > > ~$ ln -s ~/arbitrary-file /tmp/powermanga-log.txt > ~$ ls -l /tmp/powermanga-log.txt > lrwxrwxrwx 1 josh josh 25 Oct 4 21:14 /tmp/powermanga-log.txt -> > /home/josh/arbitrary-file > ~$ powermanga > (II) configuration filename: /home/josh/.config/tlk-games/powermanga.conf > [config_file.c:231, configfile_load] > ~$ ls -l /tmp/powermanga-log.txt ~/arbitrary-file > -rw-r--r-- 1 josh games 154 Oct 4 21:15 /home/josh/arbitrary-file > lrwxrwxrwx 1 josh josh 25 Oct 4 21:14 /tmp/powermanga-log.txt -> > /home/josh/arbitrary-file > ~$ cat arbitrary-file > 2014-10-04 21:14:55 (II) [File: config_file.c][Line: 231][Function: > configfile_load] configuration filename: > /home/josh/.config/tlk-games/powermanga.conf > > > This appears to allow overwriting an arbitrary file writable by either > the user or group games.
Hello, I have tried to verify your scenario and I came up with the following results: In your example you tried to overwrite an arbitrary-file in your home directory. I assume all files in $HOME are owned by josh:josh. Hence it comes to no surprise that you are able to overwrite the file since the powermanga-log.txt symlink is also owned by josh:josh. That is expected behavior because both files are owned by your user. However if another user with a different uid or in the same "games" group could overwrite an arbitrary file in your home directory, I would consider this a grave security issue. My tests on a recent Debian unstable system with Linux Kernel 3.16 did not confirm this assumption. Since Wheezy there is a Kernel feature activated by default that protects users from the exploitation of such security issues. [1] The security team treats all symlink attacks that are nullified by this protection as non-issues. [2] (see section "Distribution hardening") You can verify this by yourself by creating a different user with another uid who owns the symlink in this way: adduser test adduser test games ln -s /home/josh/arbitrary-file /tmp/powermanga-log.txt chown -h test:games /tmp/powermanga-log.txt When running the game I get this error message but it starts nonetheless. log_recorder.c/log_initialize()fopen(/tmp/powermanga-log.txt) failed (Permission denied) The arbitrary-file is not overwritten. Hence I think the severity should be downgraded and the bug report kept open until it is no longer necessary to use a temporary file for writing log messages. Regards, Markus [1] http://www.openwall.com/lists/kernel-hardening/2012/06/19/1 [2] https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
signature.asc
Description: OpenPGP digital signature