From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <systemtap-return-11201-listarch-systemtap=sources.redhat.com@sourceware.org>
Received: (qmail 26426 invoked by alias); 15 Feb 2009 21:24:49 -0000
Received: (qmail 26404 invoked by uid 48); 15 Feb 2009 21:24:38 -0000
Date: Sun, 15 Feb 2009 21:26:00 -0000
From: "eugen at debian dot org" <sourceware-bugzilla@sourceware.org>
To: systemtap@sources.redhat.com
Message-ID: <20090215212438.9849.eugen@debian.org>
Reply-To: sourceware-bugzilla@sourceware.org
Subject: [Bug runtime/9849] New: dtrace: Unsafe temporary file handling
X-Bugzilla-Reason: AssignedTo
Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <systemtap.sourceware.org>
List-Subscribe: <mailto:systemtap-subscribe@sourceware.org>
List-Post: <mailto:systemtap@sourceware.org>
List-Help: <mailto:systemtap-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: systemtap-owner@sourceware.org
X-SW-Source: 2009-q1/txt/msg00444.txt.bz2

dtrace -G creates temporary file with name of probe file
but with extension .c (if probe file had extension .d).
Also dtrace makes no checks if that file already exist.
This makes symlink attack possible:

% touch test.d
% rm -f /tmp/somefile /tmp/test.c
% ln -s /tmp/somefile /tmp/test.c
% ./dtrace -G -s test.d
% cat /tmp/somefile
static __dtrace () {}

Symlink can be created by any user.

dtrace should use python equivalent of mkstemp(3) to avoid this bug.

-- 
           Summary: dtrace: Unsafe temporary file handling
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: runtime
        AssignedTo: systemtap at sources dot redhat dot com
        ReportedBy: eugen at debian dot org


http://sourceware.org/bugzilla/show_bug.cgi?id=9849

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.