This mail is just to confirm the second bug that Nico discovered, executing code from a file called /tmp/gambas-apt-exec.
There was not a bug number on Debian for this issue, but it has also been fixed in the same upload that fixed #476588. Regards. José L. El jue, 17-04-2008 a las 21:23 +0200, Nico Golde escribió: > Package: aptlinex > Severity: normal > Tags: security > > Hi, > looking at the code of aptlinex because of #476572 I > stumbled over another security issue: > > Insecure temporary file usage in ModMain.module: > 90 IF User.Name <> "root" THEN > 91 'EXEC [graphicalSu(), "gambas-apt.gambas", User.Name, Buf] WAIT > 92 PRINT graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf > 93 SHELL graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf > WAIT > 94 IF Exist("/tmp/gambas-apt-exec") THEN sExec = > File.Load("/tmp/gambas-apt-exec") > 95 TRY EXEC [sExec] WAIT > 96 RETURN > 97 END IF > 98 > 99 TRY File.Save("/tmp/gambas-apt.lock", Application.Id) > > Adding a symlink /tmp/gambas-apt.lock -> someimportant file an attacker could > overwrite any file on the system with the process id of aptline since this > process > runs as root. > > The code before that looks like this would load gambas code from a file > called /tmp/gambas-apt-exec > and then execute it but I am not sure cause I have no real idea about gambas. > > Kind regards > Nico >
signature.asc
Description: Esta parte del mensaje está firmada digitalmente