Bug 4118 - Programs with possible /tmp symlink exploits
Summary: Programs with possible /tmp symlink exploits
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: man
Version: 6.0
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-07-19 16:14 UTC by tf
Modified: 2008-05-01 15:37 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2000-02-15 22:14:36 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description tf 1999-07-19 16:14:46 UTC 
Following mail just went to the debian folks:

Dear Nerds,

maybe you remember my /tmp symlink attack posting to bugtraq
some time
ago. Some closer investigation revealed that in SuSE Linux
6.1 (a pity we
are not allowed to use debian at our site, but anyway...),
the following
programs were susceptible to symlink attacks; of course, the
list most
probably is not complete, but it contains the most
frequently used
programs showing bad behaviour:

Exploitable Program             typical file

man                             /tmp/zman09639aaa
all the rcs stuff               /tmp/T0a10328
netscape                        /tmp/jzip378496230054DAE
mktexpk                         /tmp/mt20385.tmp/mt20385.out
tkdesksh                        /tmp/17780aaa
kmail
/tmp/kmail26766/part4/unnamed,
/tmp/kmail26766/part2/scharfes_s.ps
pine                            /tmp/pine_prt023368
kdmrc                           /tmp/T0a23848
mupad
/tmp/xmupad_mupad_connect.5663
pvmd3                           /tmp/pvml.2346

Don't know yet where these calls did come from; some might
be
SuSE-specific.

?  sh -c mount /dev/fd0 2>/tmp/mnt931444692
?  /usr/bin/vi /tmp/snd.4920
?  cp query /tmp
Furthermore, I think cflow also had problems on my private
machine.
Note You need to log in before you can comment on or make changes to this bug.