This was publicly reported yesterday. Tim
---------- Forwarded Message ----------
Subject: openvas 2.x race condition
Date: Sunday 04 Sep 2011, 23:56:48
From: Bugs NotHugs <bugsnoth...@gmail.com>
To: fd <full-disclos...@lists.grok.org.uk>, bugtraq
<bugt...@securityfocus.com>, vu...@securityfocus.com, v...@secunia.com,
submissi...@packetstormsecurity.org, xfo...@iss.net, v...@frsirt.com,
t...@openvas.org
> openvas-server/openvas/oval_plugins.c
> [...]
> results_filename = "/tmp/results.xml";
> if (g_file_test (results_filename, G_FILE_TEST_EXISTS))
> {
> log_write ("Found existing results file in %s, deleting it to
> avoid conflicts.", results_filename);
it unlink /tmp/results.xml avoid symlink attack then spawn process
that write stuff to /tmp/results.xml
chinese apt can make symlink point to any system file during race and win race!
--
BugsNotHugs
Shared Vulnerability Disclosure Account
-----------------------------------------
--
Tim Brown
<mailto:t...@openvas.org>
<http://www.openvas.org/>
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
