Hide Forgot
alsa-utils-1.0.19 and later allows local users to overwrite arbitrary files via a symlink attack via the 1), /usr/bin/alsa-info and 2, /usr/bin/alsa-info.sh scripts.
Credit for discovering this vulnerability goes to: Ville Skyttä Relevant files, on which the symlink attack is possible: 44: wget -O /tmp/alsa-info.sh "http://www.alsa-project.org/alsa-info.sh" >/dev/null 2>&1 45: REMOTE_VERSION=`grep SCRIPT_VERSION /tmp/alsa-info.sh |head -n1 |sed 's/.*=//'` 60: cp /tmp/alsa-info.sh $0 63: rm /tmp/alsa-info.sh 2>/dev/null 65: echo "ALSA-Info script has been downloaded as /tmp/alsa-info.sh." 70: rm /tmp/alsa-info.sh 2>/dev/null 76: cp /tmp/alsa-info.sh $0 78: rm /tmp/alsa-info.sh 2>/dev/null 80: echo "ALSA-Info script has been downloaded as /tmp/alsa-info.sh." 86: rm /tmp/alsa-info.sh 2>/dev/null 123: CARD_NAME=`grep "^ *$i " /tmp/alsainfo/alsacards.tmp|awk {'print $2'}` 147: $exe -f /tmp/alsainfo/alsactl.tmp store 149: cat /tmp/alsainfo/alsactl.tmp >> $FILE 285:TEMPDIR="/tmp/alsainfo/" 286:FILE="/tmp/alsa-info.txt" 309:VENDOR_ID=`lspci -vn |grep 040[1-3] | awk -F':' '{print $3}'|awk {'print substr($0, 2);}' >/tmp/alsainfo/vendor_id.tmp` 310:DEVICE_ID=`lspci -vn |grep 040[1-3] | awk -F':' '{print $4}'|awk {'print $1'} >/tmp/alsainfo/device_id.tmp` 312:cat /proc/asound/modules 2>/dev/null|awk {'print $2'}>/tmp/alsainfo/alsamodules.tmp 313:cat /proc/asound/cards >/tmp/alsainfo/alsacards.tmp 314:lspci |grep -i "multi\|audio">/tmp/alsainfo/lspci.tmp 317:cat /proc/asound/card*/codec\#* > /tmp/alsainfo/alsa-hda-intel.tmp 2> /dev/null 320:cat /proc/asound/card*/codec97\#0/ac97\#0-0 > /tmp/alsainfo/alsa-ac97.tmp 2> /dev/null 321:cat /proc/asound/card*/codec97\#0/ac97\#0-0+regs > /tmp/alsainfo/alsa-ac97-regs.tmp 2> /dev/null 327:echo "name=$USER&type=33&description=/tmp/alsa-info.txt&expiry=&s=Submit+Post&content=" > $FILE 363:cat /tmp/alsainfo/alsamodules.tmp >> $FILE 369:cat /tmp/alsainfo/alsacards.tmp >> $FILE 375:cat /tmp/alsainfo/lspci.tmp >> $FILE 408:if [ -s "/tmp/alsainfo/alsa-hda-intel.tmp" ] 414: cat /tmp/alsainfo/alsa-hda-intel.tmp >> $FILE 420:if [ -s "/tmp/alsainfo/alsa-ac97.tmp" ] 426: cat /tmp/alsainfo/alsa-ac97.tmp >> $FILE 428: cat /tmp/alsainfo/alsa-ac97-regs.tmp >> $FILE 586: wget -O - --tries=5 --timeout=60 --post-file=/tmp/alsa-info.txt "http://www.alsa-project.org/cardinfo-db/" &>/tmp/alsainfo/wget.tmp || echo "U pload failed; exit" 593: wget -O - --tries=5 --timeout=60 --post-file=/tmp/alsa-info.txt "http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahb lah" &>/tmp/alsainfo/wget.tmp || echo "Upload failed; exit" 606: wget -O - --tries=5 --timeout=60 --post-file=/tmp/alsa-info.txt http://www.alsa-project.org/cardinfo-db/ &>/tmp/alsainfo/wget.tmp & 609: wget -O - --tries=5 --timeout=60 --post-file=/tmp/alsa-info.txt http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY &>/tmp/alsainfo/wget.tmp & 630: FINAL_URL=`tput setaf 1; grep "SUCCESS:" /tmp/alsainfo/wget.tmp | cut -d ' ' -f 2 ; tput sgr0` 632: FINAL_URL=`tput setaf 1; grep "SUCCESS:" /tmp/alsainfo/wget.tmp |sed -n 's/.*\:\([0-9]\+\).*/http:\/\/pastebin.ca\/\1/p';tput sgr0` 636: FINAL_URL=`grep "SUCCESS:" /tmp/alsainfo/wget.tmp | cut -d ' ' -f 2` 638: FINAL_URL=`grep "SUCCESS:" /tmp/alsainfo/wget.tmp |sed -n 's/.*\:\([0-9]\+\).*/http:\/\/pastebin.ca\/\1/p'` 665: grep -v "alsa-info.txt" /tmp/alsa-info.txt >/tmp/alsainfo/uploaded.txt 666: dialog --backtitle "$BGTITLE" --textbox /tmp/alsainfo/uploaded.txt 0 0
This issue does NOT affect the versions of the alsa-utils package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue does NOT affect the version of the alsa-utils package, as shipped with Fedora release of 9. This issue affects the versions of the alsa-utils package, as shipped with Fedora releses of 10 and devel.
I'm wondering why alsa-info in alsa-utils-1.0.17-2.fc9.x86_64 for Fedora 9 would NOT be affected. Regarding handling files in /tmp, it seems essentially the same to me as later versions. Other remarks: The initial comment and summary of this bug refer to alsa-info and alsa-info.sh. I'm unaware of a package that would contain alsa-info.sh. The summary of this bug refers to /bin/alsa-info{,.sh}, I believe it should be /usr/bin/alsa-info.
(In reply to comment #3) > The initial comment and summary of this bug refer to alsa-info and > alsa-info.sh. I'm unaware of a package that would contain alsa-info.sh. $ rpm -q alsa-utils alsa-utils-1.0.19-1.fc10.x86_64 $ ll /usr/bin/alsa-info* -rwxr-xr-x 1 root root 23283 Nov 4 10:46 /usr/bin/alsa-info lrwxrwxrwx 1 root root 9 Jan 27 15:13 /usr/bin/alsa-info.sh -> alsa-info > The summary of this bug refers to /bin/alsa-info{,.sh}, I believe it should be > /usr/bin/alsa-info. Yeah, apparently only one of those should be mentioned.
Note that all collected information can be obtained by any user with default priviledges. Also, before any action, the script asks user for confirmation with information what the script will try to do. The possible security impact is very low in my eyes. If you provide a patch against alsa-info.sh to make it more robust, I'll commit it to upstream repository, of course. Thanks.
Note that this bug is about insecure temporary file handling which allows local users to cause overwriting or appending to arbitrary files to which the user who runs alsa-info has write access to. The nature of the collected information is not relevant to this issue.
OK, I see the problem now. The script version 0.4.54 uses mktemp to avoid this problem. Only 'mv $tempfile /tmp/alsa-info.txt' is used at the end of operation which should be safe for symlink attacks and keeps filename nice for users. I included this fix to 1.0.19-2 F10 package and to 1.0.19-3 rawhide package.
Version 0.4.54 of the script looks better on a quick peek, however I think the script should be made to abort if any of the introduced mktemp's fail - currently it seems to me that it simply continues on. Please also note that alsa-utils-1.0.17-2.fc9 in the F-9 updates repository is affected as well, and needs an update.
Outstanding issues mentioned in previous commit should now be fixed in upstream git in version 0.4.58 via patches from Takashi Iwai: http://git.alsa-project.org/?p=alsa-driver.git;a=history;f=utils/alsa-info.sh Original commit from Jaroslav, just for posterity: http://git.alsa-project.org/?p=alsa-driver.git;a=commitdiff;h=8cd38484c40300b1fa61fde1c1187023e637b9b9 Making this bug public, finally.
F-14 and newer Fedora releases ship a version that I suppose is fixed, maybe this bug can be closed now?