oss-sec mailing list archives
CVE Request: thermald
From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 7 Mar 2014 19:00:17 -0800
Hello, I discovered that the thermald temperature management daemon opens a file with predictable filename in /tmp unsafely. Please assign a CVE number for this issue: https://github.com/01org/thermal_daemon/blob/master/src/android_main.cpp#L117 In short: int main(int argc, char *argv[]) { /* ... */ if (!no_daemon) { daemonize((char *) "/tmp/", (char *) "/tmp/thermald.pid"); } else /* ... */ static void daemonize(char *rundir, char *pidfile) { /* ... */ pid_file_handle = open(pidfile, O_RDWR | O_CREAT, 0600); thermald runs as root; on systems that lack the Openwall-inspired symlink and hardlink protections in world-writable directories this can be used to write the process's pid to a file of the attacker's choosing. Note that this affects only the main() function provided in the android_main.cpp file; the main() routine in main.cpp does not have this issue. Thanks
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request: thermald Seth Arnold (Mar 07)
- Re: CVE Request: thermald cve-assign (Mar 08)