Bug#764144: powermanga: Insecure temporary file /tmp/powermanga-log.txt
Control: tags -1 moreinfo On 05.10.2014 21:03, Josh Triplett wrote: Package: powermanga Version: 0.93-1 Severity: grave Tags: security ~$ ln -s ~/arbitrary-file /tmp/powermanga-log.txt ~$ ls -l /tmp/powermanga-log.txt lrwxrwxrwx 1 josh josh 25 Oct 4 21:14 /tmp/powermanga-log.txt - /home/josh/arbitrary-file ~$ powermanga (II) configuration filename: /home/josh/.config/tlk-games/powermanga.conf [config_file.c:231, configfile_load] ~$ ls -l /tmp/powermanga-log.txt ~/arbitrary-file -rw-r--r-- 1 josh games 154 Oct 4 21:15 /home/josh/arbitrary-file lrwxrwxrwx 1 josh josh 25 Oct 4 21:14 /tmp/powermanga-log.txt - /home/josh/arbitrary-file ~$ cat arbitrary-file 2014-10-04 21:14:55 (II) [File: config_file.c][Line: 231][Function: configfile_load] configuration filename: /home/josh/.config/tlk-games/powermanga.conf This appears to allow overwriting an arbitrary file writable by either the user or group games. Hello, I have tried to verify your scenario and I came up with the following results: In your example you tried to overwrite an arbitrary-file in your home directory. I assume all files in $HOME are owned by josh:josh. Hence it comes to no surprise that you are able to overwrite the file since the powermanga-log.txt symlink is also owned by josh:josh. That is expected behavior because both files are owned by your user. However if another user with a different uid or in the same games group could overwrite an arbitrary file in your home directory, I would consider this a grave security issue. My tests on a recent Debian unstable system with Linux Kernel 3.16 did not confirm this assumption. Since Wheezy there is a Kernel feature activated by default that protects users from the exploitation of such security issues. [1] The security team treats all symlink attacks that are nullified by this protection as non-issues. [2] (see section Distribution hardening) You can verify this by yourself by creating a different user with another uid who owns the symlink in this way: adduser test adduser test games ln -s /home/josh/arbitrary-file /tmp/powermanga-log.txt chown -h test:games /tmp/powermanga-log.txt When running the game I get this error message but it starts nonetheless. log_recorder.c/log_initialize()fopen(/tmp/powermanga-log.txt) failed (Permission denied) The arbitrary-file is not overwritten. Hence I think the severity should be downgraded and the bug report kept open until it is no longer necessary to use a temporary file for writing log messages. Regards, Markus [1] http://www.openwall.com/lists/kernel-hardening/2012/06/19/1 [2] https://lists.debian.org/debian-devel-announce/2014/03/msg4.html signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#764144: powermanga: Insecure temporary file /tmp/powermanga-log.txt
Processing control commands: tags -1 moreinfo Bug #764144 [powermanga] powermanga: Insecure temporary file /tmp/powermanga-log.txt Added tag(s) moreinfo. -- 764144: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764144 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764144: powermanga: Insecure temporary file /tmp/powermanga-log.txt
Package: powermanga Version: 0.93-1 Severity: grave Tags: security ~$ ln -s ~/arbitrary-file /tmp/powermanga-log.txt ~$ ls -l /tmp/powermanga-log.txt lrwxrwxrwx 1 josh josh 25 Oct 4 21:14 /tmp/powermanga-log.txt - /home/josh/arbitrary-file ~$ powermanga (II) configuration filename: /home/josh/.config/tlk-games/powermanga.conf [config_file.c:231, configfile_load] ~$ ls -l /tmp/powermanga-log.txt ~/arbitrary-file -rw-r--r-- 1 josh games 154 Oct 4 21:15 /home/josh/arbitrary-file lrwxrwxrwx 1 josh josh 25 Oct 4 21:14 /tmp/powermanga-log.txt - /home/josh/arbitrary-file ~$ cat arbitrary-file 2014-10-04 21:14:55 (II) [File: config_file.c][Line: 231][Function: configfile_load] configuration filename: /home/josh/.config/tlk-games/powermanga.conf This appears to allow overwriting an arbitrary file writable by either the user or group games. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages powermanga depends on: ii libc62.19-11 ii libpng12-0 1.2.50-2 ii libsdl-mixer1.2 1.2.12-11+b1 ii libsdl1.2debian 1.2.15-10 ii powermanga-data 0.93-1 powermanga recommends no packages. powermanga suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org