[Bug 299560] Re: Insecure xfs start/stop script
xfs (1:1.0.8-6) unstable; urgency=low * QA upload. * Unsafe /tmp usage fixed in the init script. (Closes: #521107) -- Ubuntu Archive Auto-Sync arch...@ubuntu.com Mon, 30 Nov 2009 23:47:14 + ** Changed in: xfs (Ubuntu) Status: Triaged = Fix Released -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Changed in: xfs (Debian) Status: New = Fix Released -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Changed in: xfs (Debian) Status: Unknown = New -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Tags added: hardy -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Changed in: xfs (Ubuntu) Importance: Undecided = Low ** Changed in: xfs (Ubuntu) Status: Incomplete = Triaged -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Bug watch added: Debian Bug tracker #521107 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521107 ** Also affects: xfs (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521107 Importance: Unknown Status: Unknown -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Description changed: Binary package hint: xfs The xfs start/stop script /etc/init.d/xfs is insecure. There is a problematic function set_up_socket_dir in this script: SOCKET_DIR=/tmp/.font-unix [...] set_up_socket_dir () { echo -n Setting up X font server socket directory $SOCKET_DIR... if [ -e $SOCKET_DIR ] ! [ -d $SOCKET_DIR ]; then mv $SOCKET_DIR $SOCKET_DIR.$$ fi if ! [ -d $SOCKET_DIR ]; then mkdir -m 1777 $SOCKET_DIR || : do_restorecon $SOCKET_DIR || : fi echo done. } This function moves /tmp/.font-unix to /tmp/.font-unix.$$. Unfortunately $$ is predictable and there is no test, that /tmp/.font-unix.$$ does not already exist. So especially symlink attacks are possible. The attack is only possible, if /tmp/.font-unix does not already exist. Then an attacker could create an /tmp/.font-unix file (not directory) and create some symlinks in the form /tmp/.font-unix. (where are possible PID numbers). The start script than moves /tmp/.font-unix to an symlinked directory /tmp/.font-unix.. I suggest to delete the contents of /tmp/.font-unix is this file is not a directory. For instance rm -rf /tmp/.font-unix should be ok (rm from coreutils should be safe). A possible fix is also described here: https://bugzilla.novell.com/show_bug.cgi?id=408006 - The problem was found in Ubuntu 8.04 (xfs-1:1.0.5-2). An exploit idea is - attached. + The problem was found in Ubuntu 8.04 (xfs-1:1.0.5-2). An exploit idea is attached. + [lspci] + 00:00.0 Host bridge [0600]: ATI Technologies Inc RS200/RS200M AGP Bridge [IGP 340M] [1002:cbb2] (rev 02) + Subsystem: Sony Corporation Device [104d:8175] + 01:05.0 VGA compatible controller [0300]: ATI Technologies Inc M9+ 5C61 [Radeon Mobility 9200 (AGP)] [1002:5c61] (rev 01) + Subsystem: Sony Corporation Device [104d:8175] -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
Here is the output of `lspci -vvnn`. But I don't think that this is a hardware related bug. ** Attachment added: Output of `lspci -vvnn` http://launchpadlibrarian.net/21049638/lspci-vvnn.log -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
[This is an automated message] Hi bjoern, Please attach the output of `lspci -vvnn` too. ** Changed in: xfs (Ubuntu) Status: New = Incomplete -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Bug watch added: Novell/SUSE Bugzilla #408006 https://bugzilla.novell.com/show_bug.cgi?id=408006 ** Also affects: opensuse via https://bugzilla.novell.com/show_bug.cgi?id=408006 Importance: Unknown Status: Unknown -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Changed in: opensuse Status: Unknown = Fix Released -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 299560] Re: Insecure xfs start/stop script
** Visibility changed to: Public -- Insecure xfs start/stop script https://bugs.launchpad.net/bugs/299560 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs