April 2006 report.: msg#00008

  Since the only advisory of the month has gone out I'll
 tell you what I've been doing.

  Inspired by Javiers regular tmpfile problems I decided to
 look at all the packages containing a file in /etc/cron.d
 and /etc/cron.daily.

  Looking for these via the packages.debian.org page was
 simple enough and there were about two pages of results
 for each search.

  I got the source to each of them and looked for tmpfile
 problems in the cron-scripts themselves, rather than the
 actual packages, and got one hit:

    test -x /usr/sbin/fcheck && if ! /usr/sbin/fcheck -asxrf
      /etc/fcheck/fcheck.cfg >/var/tmp/fcheck.out ...

  '/var/tmp/fcheck.out' could be created as a symbolic
 link to corrupt/touch arbitary files upon the system.

  No other bugs found, but if anybody wishes to see if I
 missed one or two feel free.  It was a simple job to look
 at each package in turn and only took me two nights all
 told.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Paper for the "Weeding out security bugs" Debconf6 workshop, Steve Kemp
Next by Date:	Re: Paper for the "Weeding out security bugs" Debconf6 workshop, Javier Fernández-Sanguino Peña
Previous by Thread:	Re: Paper for the "Weeding out security bugs" Debconf6 workshop, Ulf Harnhammar
Next by Thread:	Re: April 2006 report.g, Javier Fernández-Sanguino Peña
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Paper for the "Weeding out security bugs" Debconf6 workshop, Steve Kemp

Next by Date:

Re: Paper for the "Weeding out security bugs" Debconf6 workshop, Javier Fernández-Sanguino Peña

Previous by Thread:

Re: Paper for the "Weeding out security bugs" Debconf6 workshop, Ulf Harnhammar

Next by Thread:

Re: April 2006 report.g, Javier Fernández-Sanguino Peña

Indexes:

[Date] [Thread] [Top] [All Lists]