[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Uploaded devscripts 2.0.0 (source all) to master

Julian Gilbey wrote:
> > Julian Gilbey wrote:
> > >    * Now debchange works on a version of the changelog in /tmp and only
> > >      overwrites the current changelog if everything is OK; this is much
> > >      safer than the original version.  Also, all system calls have their
> > >      return status checked
> > 
> > Did you do this safely? Ie, did you protect against file in /tmp exploits?
> 
> debchange runs with no special privileges, so I haven't taken
> precautions against /tmp exploits.  What I will do, though, is to
> disable debchange from running as root or setuid root for the next
> release.

Sorry, this means that I can file a critical security bug on devscripts.
Consider this:

ln -s /home/joey/thesis.txt /tmp/changelog

If an attacker on the system tries something like this, joey's thesis paper
will be replaced with a copy of his changelog the next time he uses debchange.
(This is assumming you use /tmp/changelog as the tmp file.)

The correct solution to this is to not use /tmp. Just output to
debian/changelog.new and move that over top of debian/changelog when done.

-- 
see shy jo
Reply to: