Bug 460429 (CVE-2008-4987) - CVE-2008-4987 xastir: Insecure auxiliary /tmp file usage (symlink attack possible)
Summary: CVE-2008-4987 xastir: Insecure auxiliary /tmp file usage (symlink attack poss...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4987
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-28 09:22 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:26 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-05 18:57:35 UTC


Attachments (Terms of Use)
*DO NOT USE* Debian patch (2.57 KB, patch)
2008-08-28 13:31 UTC, Tomas Hoger
no flags Details | Diff
Improved Debian patch (1.32 KB, patch)
2008-08-28 14:08 UTC, Tomas Hoger
no flags Details | Diff

Description Jan Lieskovsky 2008-08-28 09:22:00 UTC
The Xastir package, as shipped with the Fedora releases is prone
to the symlink attack. 

Affected files:

/usr/share/xastir/get-maptools.sh
/usr/share/xastir/get_shapelib.sh

Relevant part of the code:

get-maptools.sh:


    168         printf "Warning: /usr/local/lib not in %s - adding it\n" $LDCONF_FILE
    169         if [ -f $LDCONF_FILE ]
    170         then
    171                 cp $LDCONF_FILE /tmp/ldconfig.tmp
    172                 $SUDO cp $LDCONF_FILE $LDCONF_FILE.orig.$$
    173         fi
    174         printf "/usr/local/lib\n" >> /tmp/ldconf.tmp
    175         $SUDO cp /tmp/ldconf.tmp $LDCONF_FILE


get_shapelib.sh:


    141     if (! grep /usr/local/lib /etc/ld.so.conf 2>&1 > /dev/null)
    142     then
    143         printf "Warning: /usr/local/lib not in /etc/ld.so.conf - adding it\n"
    144         cp /etc/ld.so.conf /tmp
    145         printf "/usr/local/lib\n" >> /tmp/ld.so.conf
    146         $SUDO cp /etc/ld.so.conf /etc/ld.so.conf.save
    147         $SUDO cp /tmp/ld.so.conf /etc/ld.so.conf
    148     fi


A malicious user can precreate a symlink, which would point to /tmp/ldconf.tmp
and subsequently run the 'xastir' command. This could allow him to 
modify the target of the symlink, which would be otherwise prevented
from changes made by an unprivileged Linux user.

Comment 1 Jan Lieskovsky 2008-08-28 09:22:54 UTC
This issue affects all versions of the xastir package, as shipped 
within the Fedora releases 8, 9 and 10.

Comment 2 Fedora Update System 2008-08-28 13:16:32 UTC
xastir-1.9.2-7.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/xastir-1.9.2-7.fc8

Comment 3 Fedora Update System 2008-08-28 13:17:11 UTC
xastir-1.9.2-8.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/xastir-1.9.2-8.fc9

Comment 4 Lucian Langa 2008-08-28 13:22:22 UTC
Thank you for your report.

Comment 5 Tomas Hoger 2008-08-28 13:25:23 UTC
http://cvs.fedoraproject.org/viewvc/rpms/xastir/F-9/xastir-1.9.2-tmpdir.patch?revision=1.1&view=markup

+	MKT=`which mktemp`
+        printf "/usr/local/lib\n" >> $MKT
+        $SUDO cp $MKT $LDCONF_FILE

Should be:

MKT=/bin/mktemp
printf "/usr/local/lib\n" >> /bin/mktemp
$SUDO cp /bin/mktemp $LDCONF_FILE

Ouch...

Comment 6 Tomas Hoger 2008-08-28 13:31:51 UTC
Created attachment 315217 [details]
*DO NOT USE* Debian patch

Debian patch based on original bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496383

Looks like that patch got it wrong as well ;(.

Comment 7 Tomas Hoger 2008-08-28 14:08:52 UTC
Created attachment 315220 [details]
Improved Debian patch

Comment 8 Lucian Langa 2008-08-28 14:19:53 UTC
On a closer look, the following

    get_shapelib.sh:


        printf "Checking /etc/ld.so.conf"

        if (! grep /usr/local/lib /etc/ld.so.conf 2>&1 > /dev/null)
        then
            printf "Warning: /usr/local/lib not in /etc/ld.so.conf - adding it\n"
            cp /etc/ld.so.conf /tmp
            printf "/usr/local/lib\n" >> /tmp/ld.so.conf
            $SUDO cp /etc/ld.so.conf /etc/ld.so.conf.save
            $SUDO cp /tmp/ld.so.conf /etc/ld.so.conf
        fi

should be only needed when compiling from source and with no prefix specified
(no prefix defaults to /usr/local). We ship xastir with /usr as prefix and
we already have /usr/lib among ldconfig search paths, so this makes the
above useless. I think just stripping those section from both files will fix
this issue.

Comment 9 Tomas Hoger 2008-08-28 14:31:09 UTC
Sorry, I'm completely out of context, so I may be completely wrong... but those two affected scripts seem to download source for shapelib and maptools (whatever those packages are), build and install them (probably in /usr/local).

Comment 10 Lucian Langa 2008-08-28 14:38:34 UTC
Yes but xastir is already build against shapelib and maptools (gdal, proj4, ..). There're not required at all. I think were made for easier instalation when compiling from sure. I think it shouldn't have been packaged in the first place.

Comment 11 Tomas Hoger 2008-08-28 15:01:04 UTC
Ok, thanks!  So dropping those scripts completely seems like a good way to go.

Comment 12 Fedora Update System 2008-08-28 18:40:47 UTC
xastir-1.9.2-9.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/xastir-1.9.2-9.fc9

Comment 13 Fedora Update System 2008-08-28 18:42:03 UTC
xastir-1.9.2-8.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/xastir-1.9.2-8.fc8

Comment 14 Fedora Update System 2008-09-05 12:20:55 UTC
xastir-1.9.2-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2008-09-10 06:48:03 UTC
xastir-1.9.2-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2008-09-10 07:00:23 UTC
xastir-1.9.2-9.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Tomas Hoger 2008-11-06 17:50:15 UTC
CVE id CVE-2008-4987 was assigned to this issue:

xastir 1.9.2 allows local users to overwrite arbitrary files via a
symlink attack on the (a) /tmp/ldconfig.tmp, (b) /tmp/ldconf.tmp, and
(c) /tmp/ld.so.conf temporary files, related to the (1)
get-maptools.sh and (2) get_shapelib.sh scripts.


Note You need to log in before you can comment on or make changes to this bug.