This mail is just to confirm the second bug that Nico discovered, executing code from a file called /tmp/gambas-apt-exec.
There was not a bug number on Debian for this issue, but it has also
been fixed in the same upload that fixed #476588.
Regards.
José L.
El jue, 17-04-2008 a las 21:23 +0200, Nico Golde escribió:
> Package: aptlinex
> Severity: normal
> Tags: security
>
> Hi,
> looking at the code of aptlinex because of #476572 I
> stumbled over another security issue:
>
> Insecure temporary file usage in ModMain.module:
> 90 IF User.Name <> "root" THEN
> 91 'EXEC [graphicalSu(), "gambas-apt.gambas", User.Name, Buf] WAIT
> 92 PRINT graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf
> 93 SHELL graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf
> WAIT
> 94 IF Exist("/tmp/gambas-apt-exec") THEN sExec =
> File.Load("/tmp/gambas-apt-exec")
> 95 TRY EXEC [sExec] WAIT
> 96 RETURN
> 97 END IF
> 98
> 99 TRY File.Save("/tmp/gambas-apt.lock", Application.Id)
>
> Adding a symlink /tmp/gambas-apt.lock -> someimportant file an attacker could
> overwrite any file on the system with the process id of aptline since this
> process
> runs as root.
>
> The code before that looks like this would load gambas code from a file
> called /tmp/gambas-apt-exec
> and then execute it but I am not sure cause I have no real idea about gambas.
>
> Kind regards
> Nico
>
signature.asc
Description: Esta parte del mensaje está firmada digitalmente
