Hi,
I (re?)discovered an entertaining way to introduce tmpfile
vulnerabilities while using the right tools (tempfile/mktemp). The
general pattern is:
TEMPFILE=`tempfile`.suffix
as opposed to
TEMPFILE=`tempfile --suffix .suffix`
An attacker can monitor /tmp using inotify, wait for the relevant file
to be created and can the quickly create the corresponding
tmpfile.suffix symbolic link to escalate privileges.
This can be found in:
1) localepurge
http://bugs.debian.org/736359
$ grep tempfile -r .
./debian/postrm: DEBREINSTALL="$(tempfile).$$"
./debian/localepurge.config:TEMPFILE=$(tempfile).$$
./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen
$
The localepurge package is Debian-specific. The relevant runs at
installation time as root.
2) syncevolution
http://bugs.debian.org/736357
$ grep 'mktemp`\.' -r .
./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx
./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o
$
The relevant code is part of the upstream package and is executed at
build time.
3) axiom (packaging)
http://bugs.debian.org/736358
$ grep 'tempfile).' -r .
./debian/axiom-test.sh:k=$(tempfile).input
$
The relevant code is part of the Debian packaging (upstream axiom is not
affected). It can be used on Debian systems to run the test suite when
the relevant package is installed.
The Debian bug reports are the initial public mentioning of these
particular issues. Please assign CVE identifiers as needed.