The Xastir package, as shipped with the Fedora releases is prone
to the symlink attack.
Relevant part of the code:
168 printf "Warning: /usr/local/lib not in %s - adding it\n" $LDCONF_FILE
169 if [ -f $LDCONF_FILE ]
171 cp $LDCONF_FILE /tmp/ldconfig.tmp
172 $SUDO cp $LDCONF_FILE $LDCONF_FILE.orig.$$
174 printf "/usr/local/lib\n" >> /tmp/ldconf.tmp
175 $SUDO cp /tmp/ldconf.tmp $LDCONF_FILE
141 if (! grep /usr/local/lib /etc/ld.so.conf 2>&1 > /dev/null)
143 printf "Warning: /usr/local/lib not in /etc/ld.so.conf - adding it\n"
144 cp /etc/ld.so.conf /tmp
145 printf "/usr/local/lib\n" >> /tmp/ld.so.conf
146 $SUDO cp /etc/ld.so.conf /etc/ld.so.conf.save
147 $SUDO cp /tmp/ld.so.conf /etc/ld.so.conf
A malicious user can precreate a symlink, which would point to /tmp/ldconf.tmp
and subsequently run the 'xastir' command. This could allow him to
modify the target of the symlink, which would be otherwise prevented
from changes made by an unprivileged Linux user.
This issue affects all versions of the xastir package, as shipped
within the Fedora releases 8, 9 and 10.
xastir-1.9.2-7.fc8 has been submitted as an update for Fedora 8.
xastir-1.9.2-8.fc9 has been submitted as an update for Fedora 9.
Thank you for your report.
+ MKT=`which mktemp`
+ printf "/usr/local/lib\n" >> $MKT
+ $SUDO cp $MKT $LDCONF_FILE
printf "/usr/local/lib\n" >> /bin/mktemp
$SUDO cp /bin/mktemp $LDCONF_FILE
Created attachment 315217 [details]
*DO NOT USE* Debian patch
Debian patch based on original bug report:
Looks like that patch got it wrong as well ;(.
Created attachment 315220 [details]
Improved Debian patch
On a closer look, the following
printf "Checking /etc/ld.so.conf"
if (! grep /usr/local/lib /etc/ld.so.conf 2>&1 > /dev/null)
printf "Warning: /usr/local/lib not in /etc/ld.so.conf - adding it\n"
cp /etc/ld.so.conf /tmp
printf "/usr/local/lib\n" >> /tmp/ld.so.conf
$SUDO cp /etc/ld.so.conf /etc/ld.so.conf.save
$SUDO cp /tmp/ld.so.conf /etc/ld.so.conf
should be only needed when compiling from source and with no prefix specified
(no prefix defaults to /usr/local). We ship xastir with /usr as prefix and
we already have /usr/lib among ldconfig search paths, so this makes the
above useless. I think just stripping those section from both files will fix
Sorry, I'm completely out of context, so I may be completely wrong... but those two affected scripts seem to download source for shapelib and maptools (whatever those packages are), build and install them (probably in /usr/local).
Yes but xastir is already build against shapelib and maptools (gdal, proj4, ..). There're not required at all. I think were made for easier instalation when compiling from sure. I think it shouldn't have been packaged in the first place.
Ok, thanks! So dropping those scripts completely seems like a good way to go.
xastir-1.9.2-9.fc9 has been submitted as an update for Fedora 9.
xastir-1.9.2-8.fc8 has been submitted as an update for Fedora 8.
xastir-1.9.2-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
xastir-1.9.2-9.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
CVE id CVE-2008-4987 was assigned to this issue:
xastir 1.9.2 allows local users to overwrite arbitrary files via a
symlink attack on the (a) /tmp/ldconfig.tmp, (b) /tmp/ldconf.tmp, and
(c) /tmp/ld.so.conf temporary files, related to the (1)
get-maptools.sh and (2) get_shapelib.sh scripts.