Package: coreutils Version: 5.2.1-2 Severity: important Tags: security Our coreutils seems to be vulnerable to the problem described in CAN-2005-1039.
http://www.securityfocus.com/archive/1/395489 A quick strace of "mkdir -m 400 foo" shows the problem: mkdir("foo", 0400) = 0 chmod("foo", 0400) = 0 So if this is run in a directory where the attacker has access, such as a group writable directory (as commonly used for teams in eg, the Debian project; on alioth, etc), then the attacker can race between the mkdir and chmod calls, (re)moving the new directory and replacing it with a symlink to a file or directory owned by the user who ran mkdir. The chmod will then follow the symlink and act on that directory. And similar for the other commands. A fix would be to create the directory/device with the right perms and not chmod it again afterwards. -- see shy jo
signature.asc
Description: Digital signature
