[Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

Martin Friebe lazarus at mfriebe.de
Fri Aug 29 17:47:22 CEST 2008


Just some ideas on the topic. IMHO  the tmp-dir should have a random, or 
pseudo-random element to it, and the current script should not (at least 
not without asking) delete a tmp-dir.

A random element (such as the PID ) would solve issues if 2 different 
users run the script simultaneously (e.g if both install a local copy of 
lazarus into their home dirs). In terms of security it would make any 
attack on the tmp dirs harder.

This example also shows why existing temp dirs should not be deleted 
(without asking). They could still be in use. I have not checked the 
current script (and neither am I an expert on shell scripting), but I 
assume that the script removes it temp script on exit? And "trap" could 
be used to make sure this happens even if aborted?

Regards
Martin

Vincent Snijders wrote:
> Joost van der Sluis schreef:
>   
>> Hi all,
>>
>> As the packager of Lazarus in Fedora, I get notifications if someone
>> files a bug in Fedora's bug-tracker. 
>>
>> Now someone added a bug-report with a security issue:
>> https://bugzilla.redhat.com/show_bug.cgi?id=460642
>>
>> And indeed, if someone add a symlink like 'ln -s /tmp/fpc_patchdir /etc'
>> and thereafter someone with root-permissions runs the
>> check_fpc_dependencies.sh script with th following code in it he won't
>> be happy:
>>
>> 89 TmpDir=/tmp/fpc_patchdir
>> 90 if [ "$WithTempDir" = "yes" ]; then
>> 91 if [ -d $TmpDir ]; then
>> 92   rm -rf $TmpDir/*
>> 93     rm -r $TmpDir
>> 94   fi
>>
>>     
>
> Somebody reported the same (or similar) issues in the debian bug tracker.
>
> Maybe the best solution is not to package these scripts in rpm/debs, so 
> that they don't enter the dangerous wild where people are running 
> scripts with root permissions and add symlinks in the tmp directory.
>
> Vincent
> _______________________________________________
> Lazarus mailing list
> Lazarus at lazarus.freepascal.org
> http://www.lazarus.freepascal.org/mailman/listinfo/lazarus
>   



More information about the Lazarus mailing list