Package: pimd Version: 2.1.5-3 Severity: critical Tags: security patch upstream Justification: root security hole
Hi! There is a simple security hole in pimd allowing a user to destroy any file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump a dump of the multicast route table. Since /var/tmp is writable by any user, a user can create a symlink to any file he wants to destroy with the content of the multicast routing table. Attached is a simple patch that will instruct pimd to write the dump to /var/lib/misc which is writable by root only and seems a valid target according to the FHS (state files that don't need a subdirectory). This patch may cause tools that were sending USR1 and waiting for a /var/tmp/pimd.dump file fail. I don't have a solution for this. The patch also applies to /var/tmp/pimd.cache which is not implemented yet but still creates the file when receiving USR2 signal. Despite its name, this is also a state file, not a cache. The patch also just drops the possibility to use /usr/tmp/pimd.dump based on some C preprocessor conditions since I don't know if the preconditions would work correctly on Debian/kFreeBSD. This vulnerability was reported to Debian Security Team and has been assigned CVE-2011-0007. - -- System Information: Debian Release: 6.0 APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pimd depends on: ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib pimd recommends no packages. pimd suggests no packages. - -- no debconf information
diff -Naur pimd-2.1.5/pathnames.h pimd-2.1.5-patched/pathnames.h --- pimd-2.1.5/pathnames.h 2011-01-03 09:28:27.000000000 +0100 +++ pimd-2.1.5-patched/pathnames.h 2011-01-05 23:17:29.598581558 +0100 @@ -40,13 +40,7 @@ #define __PIMD_PATHNAMES_H__ #define _PATH_PIMD_CONF "/etc/pimd.conf" - -#if (defined(BSD) && (BSD >= 199103)) || defined(__linux__) -#define _PATH_PIMD_DUMP "/var/tmp/pimd.dump" -#define _PATH_PIMD_CACHE "/var/tmp/pimd.cache" -#else /* Really old system ... */ -#define _PATH_PIMD_DUMP "/usr/tmp/pimd.dump" -#define _PATH_PIMD_CACHE "/usr/tmp/pimd.cache" -#endif +#define _PATH_PIMD_DUMP "/var/lib/misc/pimd.dump" +#define _PATH_PIMD_CACHE "/var/lib/misc/pimd.cache" #endif /* __PIMD_PATHNAMES_H__ */ diff -Naur pimd-2.1.5/pimd.8 pimd-2.1.5-patched/pimd.8 --- pimd-2.1.5/pimd.8 2011-01-03 09:28:27.000000000 +0100 +++ pimd-2.1.5-patched/pimd.8 2011-01-05 23:18:18.781100239 +0100 @@ -327,12 +327,12 @@ The same as TERM. .It USR1 Dumps the internal state of VIFs and multicast routing tables to -.Pa /var/tmp/pimd.dump . +.Pa /var/lib/misc/pimd.dump . See also the --show-routes option above. .\" Not implemented yet, still TODO .\" .It USR2 .\" Dumps the internal cache tables to -.\" .Pa /var/tmp/pimd.cache . +.\" .Pa /var/lib/misc/pimd.cache . .\" Also not implemented yet, TODO .\" .It QUIT .\" Dumps the internal routing tables to stderr (only if @@ -346,10 +346,10 @@ .Pa /var/run/pimd.pid upon startup. .Sh FILES -.Bl -tag -width /var/tmp/pimd.cache -compact +.Bl -tag -width /var/lib/misc/pimd.cache -compact .It Pa /etc/pimd.conf -.\" .It Pa /var/tmp/pimd.cache -.It Pa /var/tmp/pimd.dump +.\" .It Pa /var/lib/misc/pimd.cache +.It Pa /var/lib/misc/pimd.dump .It Pa /var/run/pimd.pid .El .Sh SEE ALSO
