Bugtraq mailing list archives
Re: SuSEs YaST Online Update - possible symlink attack
From: Roman Drahtmueller <draht () suse de>
Date: Wed, 7 Apr 2004 03:07:59 +0200 (MEST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
possible symlink attack in SuSEs YOU [YaST Online Update] in SuSE linux you can use YOU to auto update your system. you can do this by YaST or by hand with the command "online_update". as a normal user you can check for updates with the options "-q" or "-k". By doing this "online_update" will do the follwing: creats a directory in /usr/tmp/you-$USER in this direcoty it will creat the files "cookies", "quickcheack" and "youservers" (furthermore it creats some directorys- nevermind...). it doesnt check for a allready existing directory called "you-$USER" or for files like "cookies" which may be there.
The problem is present in SUSE Linux 8.2 and 9.0. SUSE Linux releases before 8.2 are not affected. Update packages for YOU will be released within the following days. They fix the vulnerability by using the user's home directory for storing the information about possibly pending updates. It should be noted that YOU (Yast Online Update) needs (of course) to be run as root to be able to not only check for updates, but to be able to actually install them.
bye and have a lot of phun l0om
As usual, we appreciate notices about security vulnerabilities at security () suse com, in particular because of lagged mailing lists. Encryption keys, detailed contact information, statements, announcements, useful links and other information can be found on the SUSE Security main website at http://www.suse.de/security/. Thanks, Roman Drahtmüller, SUSE Security. - -- - - | Roman Drahtmüller <draht () suse de> // "You don't need eyes to see, | SUSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: SUSE Security iD8DBQFAc1R9nkDjEAAKq6QRAg7zAJ95HPW540RGkkDfNNajspL9JDfDsQCgj2Mn VjvJ6TllMJKod4+xAgx/reo= =RgTg -----END PGP SIGNATURE-----
Current thread:
- SuSEs YaST Online Update - possible symlink attack Rene (Apr 05)
- Re: SuSEs YaST Online Update - possible symlink attack Roman Drahtmueller (Apr 07)