The Xastir package, as shipped with the Fedora releases is prone to the symlink attack. Affected files: /usr/share/xastir/get-maptools.sh /usr/share/xastir/get_shapelib.sh Relevant part of the code: get-maptools.sh: 168 printf "Warning: /usr/local/lib not in %s - adding it\n" $LDCONF_FILE 169 if [ -f $LDCONF_FILE ] 170 then 171 cp $LDCONF_FILE /tmp/ldconfig.tmp 172 $SUDO cp $LDCONF_FILE $LDCONF_FILE.orig.$$ 173 fi 174 printf "/usr/local/lib\n" >> /tmp/ldconf.tmp 175 $SUDO cp /tmp/ldconf.tmp $LDCONF_FILE get_shapelib.sh: 141 if (! grep /usr/local/lib /etc/ld.so.conf 2>&1 > /dev/null) 142 then 143 printf "Warning: /usr/local/lib not in /etc/ld.so.conf - adding it\n" 144 cp /etc/ld.so.conf /tmp 145 printf "/usr/local/lib\n" >> /tmp/ld.so.conf 146 $SUDO cp /etc/ld.so.conf /etc/ld.so.conf.save 147 $SUDO cp /tmp/ld.so.conf /etc/ld.so.conf 148 fi A malicious user can precreate a symlink, which would point to /tmp/ldconf.tmp and subsequently run the 'xastir' command. This could allow him to modify the target of the symlink, which would be otherwise prevented from changes made by an unprivileged Linux user.
This issue affects all versions of the xastir package, as shipped within the Fedora releases 8, 9 and 10.
xastir-1.9.2-7.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/xastir-1.9.2-7.fc8
xastir-1.9.2-8.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/xastir-1.9.2-8.fc9
Thank you for your report.
http://cvs.fedoraproject.org/viewvc/rpms/xastir/F-9/xastir-1.9.2-tmpdir.patch?revision=1.1&view=markup + MKT=`which mktemp` + printf "/usr/local/lib\n" >> $MKT + $SUDO cp $MKT $LDCONF_FILE Should be: MKT=/bin/mktemp printf "/usr/local/lib\n" >> /bin/mktemp $SUDO cp /bin/mktemp $LDCONF_FILE Ouch...
Created attachment 315217 [details] *DO NOT USE* Debian patch Debian patch based on original bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496383 Looks like that patch got it wrong as well ;(.
Created attachment 315220 [details] Improved Debian patch
On a closer look, the following get_shapelib.sh: printf "Checking /etc/ld.so.conf" if (! grep /usr/local/lib /etc/ld.so.conf 2>&1 > /dev/null) then printf "Warning: /usr/local/lib not in /etc/ld.so.conf - adding it\n" cp /etc/ld.so.conf /tmp printf "/usr/local/lib\n" >> /tmp/ld.so.conf $SUDO cp /etc/ld.so.conf /etc/ld.so.conf.save $SUDO cp /tmp/ld.so.conf /etc/ld.so.conf fi should be only needed when compiling from source and with no prefix specified (no prefix defaults to /usr/local). We ship xastir with /usr as prefix and we already have /usr/lib among ldconfig search paths, so this makes the above useless. I think just stripping those section from both files will fix this issue.
Sorry, I'm completely out of context, so I may be completely wrong... but those two affected scripts seem to download source for shapelib and maptools (whatever those packages are), build and install them (probably in /usr/local).
Yes but xastir is already build against shapelib and maptools (gdal, proj4, ..). There're not required at all. I think were made for easier instalation when compiling from sure. I think it shouldn't have been packaged in the first place.
Ok, thanks! So dropping those scripts completely seems like a good way to go.
xastir-1.9.2-9.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/xastir-1.9.2-9.fc9
xastir-1.9.2-8.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/xastir-1.9.2-8.fc8
xastir-1.9.2-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
xastir-1.9.2-9.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
CVE id CVE-2008-4987 was assigned to this issue: xastir 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the (a) /tmp/ldconfig.tmp, (b) /tmp/ldconf.tmp, and (c) /tmp/ld.so.conf temporary files, related to the (1) get-maptools.sh and (2) get_shapelib.sh scripts.