plaguez security advisory n. 9

                     RedHat rpm vulnerability





Program:  rpm(8), the RedHat Package Manager

Version:  2.3.11 current (shipped with RedHat Linux 4.2)
          older ones as well.

OS:       RedHat Linux specific.

Problem:  temporary files.

Impact:   can be exploited to overwrite arbitrary files
          on the system.



  Hello,

  Adding fuel to the temp. file discussion, here is yet another problem
 with temporary file checking.

  RPM (Redhat Package Manager) has many useful features.  One of these
 features is to retrieve a file off of the net and install it all in
 one step.  When RPM is used this way, the file RPM is retrieving is
 temporarily stored in /var/tmp.  The file mask RPM uses is
 rpm-ftp-$no-$pid.tmp whereas $no is the number of the package in the
 queue (0,1,2,...).

   Unfortunatly, rpm does not properly check if the temporary file
 already exists, and will follow symlinks.  As rpm is often ran by
 root, it is then possible to overwrite any file on the system,
 regardless of access permissions.


 Fix:
 ----

 Apply the following temporary patch below to url.c in the rpm
 source directory.  RedHat should soon come with the proper fix.

 196c196,201
<     fd = creat(dest, 0600);
---
> //    fd = creat(dest, 0600);
>    if(-1==(fd=open(dest,O_CREAT|O_EXCL|O_RDWR,0600)))
>      {
>       perror(dest);
>       exit(1);
>      }



See you next week,

-plaguez


------------------------
        plaguez
dube0866@eurobretagne.fr
  http://www.innu.org
------------------------