Hello, this bug report has received no additional information for eleven years now. As Javier Fernández-Sanguino Peña considered that the security issue was not confirmed and asked Jann Horn to describe a proof of concept, without being replied ... I close this bug report.
Best regards, Georges. Javier Fernández-Sanguino Peña a écrit : > tags 691275 moreinfo > thanks > > On Tue, Oct 23, 2012 at 09:28:05PM +0200, Jann Horn wrote: > > Debian's crontab contains multiple symlink races. If > > crontab was setuid root (which I think it normally is), this could be used > > to e.g. wipe directories (vulnerable code is in cleanup_tmp_crontab) or for > > other attacks. However, as it is only setgid crontab on debian, the only > > attack this can be used for is to block cron access for a user named > > "crontab" by invoking "crontab -e" and replacing the > > folder in /tmp with a symlink before crontab creates the file "crontab" > > inside the folder. The code vulnerable to this attack is in > > create_tmp_crontab. > > Could you please detail where do you see the symlink races or show, at least, > a > proof of concept of the symlink race in action and how can I reproduce this > bug? > > Reviewing the code: the directory used in cleanup_tmp_crontab is actually > defined in > create_tmp_crontab using mkdtemp(). Mkdtemp ensures that the directory > created is both unique as well as restricted to the user running it. > > This means that, as far as I know, any files created within that directory > (and removed > afterwards) should be "safe". This includes the unlink() codes in > cleanup_tmp_crontab, as well as the rmdir() call there. > > Best regards > > Javier > -- Georges KHAZNADAR et Jocelyne FOURNIER 22 rue des mouettes, 59240 Dunkerque France. Téléphone +33 (0)3 28 29 17 70
signature.asc
Description: PGP signature