Bug 126940
| Summary: | im-switch symlink vulnerability | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | SEKINE Tatsuo <sekine.t> |
| Component: | im-sdk | Assignee: | Jens Petersen <petersen> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 2 | CC: | eng-i18n-bugs |
| Target Milestone: | --- | Keywords: | i18n, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-07-07 04:16:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 125997 | ||
Thanks for spotting this - should get fixed in an update soon. im-sdk-11.4-46.1 has been built to address this issue. Great efforts guys. Performed sanity check and verified that the tmp file imswitcher$$ no longer exist in the dir after using im-swicth command. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510 Description of problem: /usr/bin/im-switch program use file "/tmp/imswitcher$$" as temporary file. This way to use temporary file is insecure, because /tmp/ is everyone writable and $$(PID) is predictable. When root try to set system-wide setting of IM, attacker can crash important file without root privilege. Version-Release number of selected component (if applicable): iiimf-x-11.4-46.svn1587 How reproducible: Always Steps to Reproduce: 1. an attacker who has onlu normal privilege types as followed: $ bash -c 'i=1;while [ $i -lt 65536 ]; do ln -s /etc/IMPORTANT_FILE /tmp/imswitcher$i; let "i++"; done' 2. root types below to set system-wide IM setting: # /usr/bin/im-switch -w -m xim 3. Actual Results: /etc/IMPORTANT_FILE becomes broken. Expected Results: /etc/IMPORTANT_FILE is independent from the behavior of im-switch program. Additional info: mktemp(1) command or "umask 077; mkdir /tmp/..." should be used to make temporary file(directory).