Red Hat Bugzilla – Bug 126940
im-switch symlink vulnerability
Last modified: 2007-11-30 17:10:45 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510 Description of problem: /usr/bin/im-switch program use file "/tmp/imswitcher$$" as temporary file. This way to use temporary file is insecure, because /tmp/ is everyone writable and $$(PID) is predictable. When root try to set system-wide setting of IM, attacker can crash important file without root privilege. Version-Release number of selected component (if applicable): iiimf-x-11.4-46.svn1587 How reproducible: Always Steps to Reproduce: 1. an attacker who has onlu normal privilege types as followed: $ bash -c 'i=1;while [ $i -lt 65536 ]; do ln -s /etc/IMPORTANT_FILE /tmp/imswitcher$i; let "i++"; done' 2. root types below to set system-wide IM setting: # /usr/bin/im-switch -w -m xim 3. Actual Results: /etc/IMPORTANT_FILE becomes broken. Expected Results: /etc/IMPORTANT_FILE is independent from the behavior of im-switch program. Additional info: mktemp(1) command or "umask 077; mkdir /tmp/..." should be used to make temporary file(directory).
Thanks for spotting this - should get fixed in an update soon.
im-sdk-11.4-46.1 has been built to address this issue.
Great efforts guys. Performed sanity check and verified that the tmp file imswitcher$$ no longer exist in the dir after using im-swicth command.