Red Hat Bugzilla – Bug 126940
im-switch symlink vulnerability
Last modified: 2007-11-30 17:10:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510
Description of problem:
/usr/bin/im-switch program use file "/tmp/imswitcher$$" as temporary file.
This way to use temporary file is insecure, because
/tmp/ is everyone writable and $$(PID) is predictable.
When root try to set system-wide setting of IM, attacker can crash
important file without root privilege.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. an attacker who has onlu normal privilege types as followed:
$ bash -c 'i=1;while [ $i -lt 65536 ]; do ln -s /etc/IMPORTANT_FILE
/tmp/imswitcher$i; let "i++"; done'
2. root types below to set system-wide IM setting:
# /usr/bin/im-switch -w -m xim
Actual Results: /etc/IMPORTANT_FILE becomes broken.
Expected Results: /etc/IMPORTANT_FILE is independent from the
behavior of im-switch program.
mktemp(1) command or "umask 077; mkdir /tmp/..." should be used to
make temporary file(directory).
Thanks for spotting this - should get fixed in an update soon.
im-sdk-11.4-46.1 has been built to address this issue.
Great efforts guys.
Performed sanity check and verified that the tmp file imswitcher$$ no
longer exist in the dir after using im-swicth command.