The lazarus package, as shipped within the Fedora releases of 9 and 10, is prone to symlink attacks (various files). Affected files and relevant parts of the code for each of them: 1, /usr/lib/lazarus/tools/convert_po_file_to_utf-8.sh 15 iconv --from-code=$OldCharSet --to-code=UTF-8 $POFile > $POFile.tmp 16 cat $POFile.tmp | sed -e 's/\(^".* charset\)='$OldCharSet'/\1=UTF-8/' > $POFile 17 rm $POFile.tmp 2, /usr/lib/lazarus/tools/install/build_fpc_snaphot_rpm.sh 54 # create a temporary copy of the fpc sources to patch it 55 TmpDir=/tmp/`whoami`/fpc 56 rm -rf $TmpDir (And all occurences) 3, /usr/lib/lazarus/tools/install/check_fpc_dependencies.sh 10 echo Testing fpc ... 11 TmpDir=/tmp/fpc 12 rm -rf $TmpDir 13 mkdir -p $TmpDir 4, /usr/lib/lazarus/tools/install/create_fpc_deb.sh 87 # create a temporary copy of the fpc sources to patch it 88 89 TmpDir=/tmp/fpc_patchdir 90 if [ "$WithTempDir" = "yes" ]; then 91 if [ -d $TmpDir ]; then 92 rm -rf $TmpDir/* 93 rm -r $TmpDir 94 fi 95 mkdir -p $TmpDir 5, /usr/lib/lazarus/tools/install/create_fpc_export_tgz.sh 23 if [ "x$Download" = "xyes" ]; then 24 echo "downloading fpc svn ..." 25 cd /tmp 26 rm -rf /tmp/fpc 27 svn export http://svn.freepascal.org/svn/fpc/trunk fpc 28 cd - 29 else 30 echo "extracting fpc from local svn ..." 31 rm -rf /tmp/fpc 32 svn export $SourceDir /tmp/fpc 33 fi 34 35 cd /tmp 36 echo "packing ..." 37 tar cvzf /tmp/fpc.tgz fpc 38 cd - 39 mv /tmp/fpc.tgz $OutputFile 40 rm -rf /tmp/fpc 41 42 # end. 43 6, /usr/lib/lazarus/tools/install/create_fpc_rpm.sh 53 # create a temporary copy of the fpc sources to patch it 54 TmpDir=/tmp/fpc_patchdir 55 if [ "$WithTempDir" = "yes" ]; then 56 if [ -d $TmpDir ]; then 57 rm -rf $TmpDir/* 58 rm -r $TmpDir 59 fi 60 mkdir -p $TmpDir 7, /usr/lib/lazarus/tools/install/create_fpc-src_rpm.sh 56 # copy custom rpm scripts 57 cp smart_strip.sh /tmp/smart_strip.sh 58 chmod a+x /tmp/smart_strip.sh 59 cp do_nothing.sh /tmp/do_nothing.sh 60 chmod a+x /tmp/do_nothing.sh 8, /usr/lib/lazarus/tools/install/create_fpc_tgz_from_local_dir.sh 35 TmpBaseDir=/tmp 36 TmpDir=$TmpBaseDir/fpc 37 38 rm -rf $TmpDir 9, /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh 20 if [ "x$Download" = "xyes" ]; then 21 echo "downloading lazarus svn ..." 22 cd /tmp 23 rm -rf /tmp/lazarus 24 svn export http://svn.freepascal.org/svn/lazarus/trunk lazarus 25 cd - 26 else 27 echo "extracting lazarus from local svn ..." 28 SourceDir=$(pwd | sed -e 's#lazarus[_0-9]*/tools.*$#lazarus#') 29 rm -rf /tmp/lazarus 30 svn export $SourceDir /tmp/lazarus 31 fi 33 # add ide/revision.inc 34 Revision=$(svnversion /tmp/lazarus) 35 echo "const RevisionStr = '$Revision';" > /tmp/lazarus/ide/revision.inc 37 cd /tmp 38 echo "packing ..." 39 tar cvzf lazarus.tgz lazarus 40 cd - 41 mv /tmp/lazarus.tgz $OutputFile 42 rm -rf /tmp/lazarus (More example to be added in next comments). Description: A malicious user could precreate a symlink to the some name, of the 'hardcoded' files in /tmp directory. Subsequent installation of the lazarus package would allow him to destroy / truncate the target of the symlink to zero size. Affected lazarus versions: This issue affects the versions of the lazarus package, as shipped with Fedora releases of 9 and 10.
Affected file: /usr/lib/lazarus/tools/install/create_lazarus_snapshot_rpm.sh Relevant part of the code: 39 User=`whoami` 40 TmpFPCDir=/tmp/$User/fpc 41 if [ -e $TmpFPCDir ]; then 42 rm -rf $TmpFPCDir 43 fi 44 mkdir -p $TmpFPCDir 60 TmpDir=/tmp/`whoami`/lazarus 61 62 rm -rf $TmpDir 63 echo "extracting Lazarus source from local svn ..." 64 svn export $LazSrcDir $TmpDir 65 if [ ! -e ../svn2revisioninc ]; then 66 make -C ../.. tools OPT="-n @$FPCCfg" 67 fi 68 ../svn2revisioninc $LazSrcDir $TmpDir/ide/revision.inc 69 70 # create a source tar.gz 71 cd $TmpDir/.. 72 tar -czf $RPMDIR/SOURCES/lazarus-$LazVersion-$Date.tar.gz lazarus 73 74 # remove the tempdir 75 cd - 76 rm -rf $TmpDir Affected file: /usr/lib/lazarus/tools/install/cross_unix/create_linux_cross_win32_rpm.sh Relevant part of the code: 110 #---------------------------------------------------------------------------- 111 # create temporary directory 112 #---------------------------------------------------------------------------- 113 TmpSrcDir=/tmp/fpc_crosswin32 114 echo "create temporary directory $TmpSrcDir ..." 115 rm -rf $TmpSrcDir 116 mkdir -p $TmpSrcDir
Most of the affected scripts seem to be some tools used by upstream to automate some package creation tasks. If that's the case, they may not be needed to be included in Fedora packages at all.
I've mailed upstream and they fixed a few issues immediately, but others are somewhat more difficult. They also said: "Maybe the best solution is not to package these scripts in rpm/debs, so that they don't enter the dangerous wild where people are running scripts with root permissions and add symlinks in the tmp directory." All scripts except the first one are indeed tools to automate package creation. I'll remove these scripts, and file bug-reports upstream so that they can fix these issues if they have time. One question though: should I make an update for Fedora 9? Or is this not important enough, so that it can wait?
(Sorry for the late reply!) (In reply to comment #3) > One question though: should I make an update for Fedora 9? Or is this not > important enough, so that it can wait? I noticed those scripts are no longer shipped with Rawhide / F10 version: http://koji.fedoraproject.org/koji/buildinfo?buildID=67836 As for F9, I'd say not to do an update just for this. Scripts are not in PATH and are probably not very likely to be run anyway. If there's update for F9 needed for some other reason, they can be removed.
CVE id CVE-2008-5007 was assigned to this issue: create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory.