** Description changed:
Binary package hint: xfs
The xfs start/stop script /etc/init.d/xfs is insecure. There is a
problematic function set_up_socket_dir in this script:
SOCKET_DIR=/tmp/.font-unix
[...]
set_up_socket_dir () {
echo -n "Setting up X font server socket directory $SOCKET_DIR..."
if [ -e $SOCKET_DIR ] && ! [ -d $SOCKET_DIR ]; then
mv $SOCKET_DIR $SOCKET_DIR.$$
fi
if ! [ -d $SOCKET_DIR ]; then
mkdir -m 1777 $SOCKET_DIR || :
do_restorecon $SOCKET_DIR || :
fi
echo "done."
}
This function moves /tmp/.font-unix to /tmp/.font-unix.$$. Unfortunately
$$ is predictable and there is no test, that /tmp/.font-unix.$$ does not
already exist. So especially symlink attacks are possible. The attack is
only possible, if /tmp/.font-unix does not already exist. Then an
attacker could create an /tmp/.font-unix file (not directory) and create
some symlinks in the form /tmp/.font-unix.XXXX (where XXXX are possible
PID numbers). The start script than moves /tmp/.font-unix to an
symlinked directory /tmp/.font-unix.XXXX.
I suggest to delete the contents of /tmp/.font-unix is this file is not
a directory. For instance "rm -rf /tmp/.font-unix" should be ok ("rm"
from coreutils should be safe). A possible fix is also described here:
https://bugzilla.novell.com/show_bug.cgi?id=408006
- The problem was found in Ubuntu 8.04 (xfs-1:1.0.5-2). An exploit idea is
- attached.
+ The problem was found in Ubuntu 8.04 (xfs-1:1.0.5-2). An exploit idea is
attached.
+ [lspci]
+ 00:00.0 Host bridge [0600]: ATI Technologies Inc RS200/RS200M AGP Bridge [IGP
340M] [1002:cbb2] (rev 02)
+ Subsystem: Sony Corporation Device [104d:8175]
+ 01:05.0 VGA compatible controller [0300]: ATI Technologies Inc M9+ 5C61
[Radeon Mobility 9200 (AGP)] [1002:5c61] (rev 01)
+ Subsystem: Sony Corporation Device [104d:8175]
--
Insecure xfs start/stop script
https://bugs.launchpad.net/bugs/299560
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
--
universe-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/universe-bugs
