The rkhuner package, as shipped within the Fedora releases is prone to the symlink attack. Affected file: /usr/bin/rkhunter Relevant part of the code: 43 if [ "$1" = "--debug" ]; then 44 if [ -e "/tmp/rkhunter-debug" ]; then 45 if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then 46 rm -f /tmp/rkhunter-debug >/dev/null 2>&1 47 else 48 echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file." 49 exit 1 50 fi 51 fi 52 53 DEBUG_OPT=1 54 55 exec 1>/tmp/rkhunter-debug 2>&1 56 set -x Description: A malicious user could precreate a symbolic link pointing to the file '/tmp/rkhunter-debug', then run the rkhunter command to destroy / truncate the target of the symlink to zero size. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496366 Affected versions: This issue affects all versions of the rkhunter package, as shipped within the Fedora releases of 8 and 9 and the versions of the rkhunter package, as shipped within the Extra Packages for Enterprise Linux (EPEL) project.
The more real bug in debian seems to be: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496375 (the one you refer to is the mass bug filing against a bunch of packages tmp use). Debian seems to have fixed this by using mktemp for the debug file, but leaving it in /tmp/ Should we do likewise, or move the debug file to /var/run/ as well? Note that the current script does test the file for being a regular file, so the window for the attack is pretty small.
Created attachment 315445 [details] proposed patch using mktemp Here's a proposed patch using mktemp.
rkhunter-1.3.2-5.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/rkhunter-1.3.2-5.fc9
rkhunter-1.3.2-5.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/rkhunter-1.3.2-5.fc8
rkhunter-1.3.2-5.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.3.2-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
CVE id CVE-2008-4982 was assigned to this flaw: rkhunter in rkhunter 1.3.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/rkhunter-debug temporary file. NOTE: this is probably a different vulnerability than CVE-2005-1270.
Fixed in: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8364 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8314