[Lazarus] xml reader AV

zeljko zeljko at holobit.net
Sat Aug 30 11:04:11 CEST 2008


On Fri, 29 Aug 2008 18:31:42 +0200
Joost van der Sluis <joost at cnoc.nl> wrote:

> Op vrijdag 29-08-2008 om 15:53 uur [tijdzone +0200], schreef Mattias
> Gaertner:
> > On Fri, 29 Aug 2008 14:55:00 +0200
> > Joost van der Sluis <joost at cnoc.nl> wrote:
> > 
> > > Hi all,
> > > 
> > > As the packager of Lazarus in Fedora, I get notifications if
> > > someone files a bug in Fedora's bug-tracker. 
> > > 
> > > Now someone added a bug-report with a security issue:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=460642
> > > 
> > > And indeed, if someone add a symlink like 'ln
> > > -s /tmp/fpc_patchdir /etc' and thereafter someone with
> > > root-permissions runs the check_fpc_dependencies.sh script with th
> > > following code in it he won't be happy:
> > > 
> > > 89 TmpDir=/tmp/fpc_patchdir
> > > 90 if [ "$WithTempDir" = "yes" ]; then
> > > 91 if [ -d $TmpDir ]; then
> > > 92   rm -rf $TmpDir/*
> > > 93     rm -r $TmpDir
> > > 94   fi
> > > 
> > > How can we fix this?
> > 
> > I replaced it with
> >   rm -rf $TmpDir
> 
> Read the link, this was only one example, but there are more. And your
> solution works for the hack in my example, but I doubt it is entirely
> safe.

You are right.
The script was not intended to run on malicious multi user systems. It
was written to create a rpm and to easily debug the rpm building.
Using the tmp directory is per se a security risk. It would be better
to use the home directory by default. But this does not work on some
systems.
The best ad hoc solution is already mentioned in the link: don't add
the scripts to the rpm.

Mattias



More information about the Lazarus mailing list