[Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

Vincent Snijders vsnijders at quicknet.nl
Fri Aug 29 16:53:06 CEST 2008


Joost van der Sluis schreef:
> Hi all,
> 
> As the packager of Lazarus in Fedora, I get notifications if someone
> files a bug in Fedora's bug-tracker. 
> 
> Now someone added a bug-report with a security issue:
> https://bugzilla.redhat.com/show_bug.cgi?id=460642
> 
> And indeed, if someone add a symlink like 'ln -s /tmp/fpc_patchdir /etc'
> and thereafter someone with root-permissions runs the
> check_fpc_dependencies.sh script with th following code in it he won't
> be happy:
> 
> 89 TmpDir=/tmp/fpc_patchdir
> 90 if [ "$WithTempDir" = "yes" ]; then
> 91 if [ -d $TmpDir ]; then
> 92   rm -rf $TmpDir/*
> 93     rm -r $TmpDir
> 94   fi
> 

Somebody reported the same (or similar) issues in the debian bug tracker.

Maybe the best solution is not to package these scripts in rpm/debs, so 
that they don't enter the dangerous wild where people are running 
scripts with root permissions and add symlinks in the tmp directory.

Vincent



More information about the Lazarus mailing list