Bug 460429 - (CVE-2008-4987) CVE-2008-4987 xastir: Insecure auxiliary /tmp file usage (symlink attack possible)
CVE-2008-4987 xastir: Insecure auxiliary /tmp file usage (symlink attack poss...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080826,public=20080824,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-28 05:22 EDT by Jan Lieskovsky
Modified: 2008-11-06 12:50 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-05 14:57:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
*DO NOT USE* Debian patch (2.57 KB, patch)
2008-08-28 09:31 EDT, Tomas Hoger
no flags Details | Diff
Improved Debian patch (1.32 KB, patch)
2008-08-28 10:08 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-08-28 05:22:00 EDT
The Xastir package, as shipped with the Fedora releases is prone
to the symlink attack. 

Affected files:

/usr/share/xastir/get-maptools.sh
/usr/share/xastir/get_shapelib.sh

Relevant part of the code:

get-maptools.sh:


    168         printf "Warning: /usr/local/lib not in %s - adding it\n" $LDCONF_FILE
    169         if [ -f $LDCONF_FILE ]
    170         then
    171                 cp $LDCONF_FILE /tmp/ldconfig.tmp
    172                 $SUDO cp $LDCONF_FILE $LDCONF_FILE.orig.$$
    173         fi
    174         printf "/usr/local/lib\n" >> /tmp/ldconf.tmp
    175         $SUDO cp /tmp/ldconf.tmp $LDCONF_FILE


get_shapelib.sh:


    141     if (! grep /usr/local/lib /etc/ld.so.conf 2>&1 > /dev/null)
    142     then
    143         printf "Warning: /usr/local/lib not in /etc/ld.so.conf - adding it\n"
    144         cp /etc/ld.so.conf /tmp
    145         printf "/usr/local/lib\n" >> /tmp/ld.so.conf
    146         $SUDO cp /etc/ld.so.conf /etc/ld.so.conf.save
    147         $SUDO cp /tmp/ld.so.conf /etc/ld.so.conf
    148     fi


A malicious user can precreate a symlink, which would point to /tmp/ldconf.tmp
and subsequently run the 'xastir' command. This could allow him to 
modify the target of the symlink, which would be otherwise prevented
from changes made by an unprivileged Linux user.
Comment 1 Jan Lieskovsky 2008-08-28 05:22:54 EDT
This issue affects all versions of the xastir package, as shipped 
within the Fedora releases 8, 9 and 10.
Comment 2 Fedora Update System 2008-08-28 09:16:32 EDT
xastir-1.9.2-7.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/xastir-1.9.2-7.fc8
Comment 3 Fedora Update System 2008-08-28 09:17:11 EDT
xastir-1.9.2-8.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/xastir-1.9.2-8.fc9
Comment 4 Lucian Langa 2008-08-28 09:22:22 EDT
Thank you for your report.
Comment 5 Tomas Hoger 2008-08-28 09:25:23 EDT
http://cvs.fedoraproject.org/viewvc/rpms/xastir/F-9/xastir-1.9.2-tmpdir.patch?revision=1.1&view=markup

+	MKT=`which mktemp`
+        printf "/usr/local/lib\n" >> $MKT
+        $SUDO cp $MKT $LDCONF_FILE

Should be:

MKT=/bin/mktemp
printf "/usr/local/lib\n" >> /bin/mktemp
$SUDO cp /bin/mktemp $LDCONF_FILE

Ouch...
Comment 6 Tomas Hoger 2008-08-28 09:31:51 EDT
Created attachment 315217 [details]
*DO NOT USE* Debian patch

Debian patch based on original bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496383

Looks like that patch got it wrong as well ;(.
Comment 7 Tomas Hoger 2008-08-28 10:08:52 EDT
Created attachment 315220 [details]
Improved Debian patch
Comment 8 Lucian Langa 2008-08-28 10:19:53 EDT
On a closer look, the following

    get_shapelib.sh:


        printf "Checking /etc/ld.so.conf"

        if (! grep /usr/local/lib /etc/ld.so.conf 2>&1 > /dev/null)
        then
            printf "Warning: /usr/local/lib not in /etc/ld.so.conf - adding it\n"
            cp /etc/ld.so.conf /tmp
            printf "/usr/local/lib\n" >> /tmp/ld.so.conf
            $SUDO cp /etc/ld.so.conf /etc/ld.so.conf.save
            $SUDO cp /tmp/ld.so.conf /etc/ld.so.conf
        fi

should be only needed when compiling from source and with no prefix specified
(no prefix defaults to /usr/local). We ship xastir with /usr as prefix and
we already have /usr/lib among ldconfig search paths, so this makes the
above useless. I think just stripping those section from both files will fix
this issue.
Comment 9 Tomas Hoger 2008-08-28 10:31:09 EDT
Sorry, I'm completely out of context, so I may be completely wrong... but those two affected scripts seem to download source for shapelib and maptools (whatever those packages are), build and install them (probably in /usr/local).
Comment 10 Lucian Langa 2008-08-28 10:38:34 EDT
Yes but xastir is already build against shapelib and maptools (gdal, proj4, ..). There're not required at all. I think were made for easier instalation when compiling from sure. I think it shouldn't have been packaged in the first place.
Comment 11 Tomas Hoger 2008-08-28 11:01:04 EDT
Ok, thanks!  So dropping those scripts completely seems like a good way to go.
Comment 12 Fedora Update System 2008-08-28 14:40:47 EDT
xastir-1.9.2-9.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/xastir-1.9.2-9.fc9
Comment 13 Fedora Update System 2008-08-28 14:42:03 EDT
xastir-1.9.2-8.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/xastir-1.9.2-8.fc8
Comment 14 Fedora Update System 2008-09-05 08:20:55 EDT
xastir-1.9.2-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-09-10 02:48:03 EDT
xastir-1.9.2-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2008-09-10 03:00:23 EDT
xastir-1.9.2-9.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Tomas Hoger 2008-11-06 12:50:15 EST
CVE id CVE-2008-4987 was assigned to this issue:

xastir 1.9.2 allows local users to overwrite arbitrary files via a
symlink attack on the (a) /tmp/ldconfig.tmp, (b) /tmp/ldconf.tmp, and
(c) /tmp/ld.so.conf temporary files, related to the (1)
get-maptools.sh and (2) get_shapelib.sh scripts.

Note You need to log in before you can comment on or make changes to this bug.