Colin Phipps found a problem in fsh about a month ago:
On Sat, Oct 21, 2000 at 02:48:10PM +0000, Colin Phipps wrote:
> Package: fsh
> Version: 1.0.post.1-2.1
> Severity: normal
>
> fshd has to create a directory in /tmp to hold its sockets; since the
> dir is shared by sockets for different instances of fshd's, it has to
> accept the possibility that the directory may already exist. The
> logic in fshd for doing this is currently:
>
> make the directory; if it already existed, chmod 0700 it
>
> Since the chmod will throw an exception if it fails, this (normally)
> prevents attacks with malicious local users precreating the socket
> directory and trying evil things. But there are two problems with
> this logic:
>
> - the chmod will follow symlinks, so a malicious user can symlink
> /tmp/fshd-<UID> to another file and when fshd is first run by that UID
> it will chmod 0700 the file pointed to.
> - the obvious race condition; an attacker could symlink /tmp/fshd-<UID>
> to a file owned by the user, then remove the symlink and create a
> directory there instead between the chmod and creation of the socket.
> This would defeat fshd's attempt to make the socket directory safe.
Unfortunately, he didn't report the bug to me, but to the Debian bug
reporting system. Less than twelve hours ago, I received notice about
the potential security problem, and made the 1.0.post.4 release that
should fix this problem.
I recommend everybody to upgrade to this version. And in the future,
please send security-related bug reports directly to
fsh-bugs(a)lists.lysator.liu.se or ceder(a)lysator.liu.se!
/ceder
