Package: dpkg Version: 1.9.21 Severity: grave Tags: security
see http://lists.jammed.com/ISN/2003/12/0056.html users can make hardlinks to root owned setuid binaries in the usual partitioning configurations, so unlinking them is not a reliable way to get rid of them. with the current dpkg behaviour it's not enough to upgrade the package before malicious local users get their hands on the exploit, since they can stash the binary away and wait for an exploit to become available. i think a fix for this might be to open() the binary, unlink() it, and then use fchmod() to remove the setuid and setgid bits. (optionally check link count to see if someone is trying this and print a warning) truncate() is out since running copies of the binaries won't like it, and a normal chmod() would be racy... -- System Information: Debian Release: 3.0 Architecture: i386 Kernel: Linux fabulous 2.6.0 #2 Sun Dec 21 10:27:12 EET 2003 i686 Locale: LANG=C, LC_CTYPE=fi_FI Versions of packages dpkg depends on: ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an ii libncurses5 5.3.20030719-2 Shared libraries for terminal hand ii libstdc++2.10-glibc2.2 1:2.95.4-15 The GNU stdc++ library -- no debconf information
