[apparmor] [Bug 835525] [NEW] compiz-fusion-plugins-extra includes a "crash handler" plugin
daveb
835525 at bugs.launchpad.net
Sat Aug 27 16:09:13 UTC 2011
*** This bug is a security vulnerability ***
Private security bug reported:
compiz-fusion-plugins-extra includes a "crash handler" plugin - the source of this program can be found at src/crashhandler/crashhandler.c. In the source file the function crash_handler() - executes some debugging commands after compiz crashes (I sent it a SIGABRT as a test :) ) it performs some debugging before dumping the output to /tmp/gdb.tmp (which gets deleted) and placed into the configured crash directory (which by default is /tmp). In both cases the program does not verify if the files already exist or a symbolic links.
Note: A user would need to have the compiz-fusion-plugins-extra installed and enable the crash-handler plugin.
The vulnerable code is the following:
// backtrace
char cmd[1024];
snprintf (cmd, 1024,
"echo -e \"set prompt\nthread apply all bt full\n"
"echo \\\\\\n\necho \\\\\\n\nbt\nquit\" > /tmp/gdb.tmp;"
"gdb -q %s %i < /tmp/gdb.tmp | "
"grep -v \"No symbol table\" | "
"tee %s/compiz_crash-%i.out; rm -f /tmp/gdb.tmp; "
"echo \"\n[CRASH_HANDLER]: "
"\\\"%s/compiz_crash-%i.out\\\" created!\n\"",
programName, getpid (), crashhandlerGetDirectory (cDisplay),
getpid (), crashhandlerGetDirectory (cDisplay), getpid () );
system (cmd);
** Affects: apparmor-profiles
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/835525
Title:
compiz-fusion-plugins-extra includes a "crash handler" plugin
Status in AppArmor Profiles:
New
Bug description:
compiz-fusion-plugins-extra includes a "crash handler" plugin - the source of this program can be found at src/crashhandler/crashhandler.c. In the source file the function crash_handler() - executes some debugging commands after compiz crashes (I sent it a SIGABRT as a test :) ) it performs some debugging before dumping the output to /tmp/gdb.tmp (which gets deleted) and placed into the configured crash directory (which by default is /tmp). In both cases the program does not verify if the files already exist or a symbolic links.
Note: A user would need to have the compiz-fusion-plugins-extra installed and enable the crash-handler plugin.
The vulnerable code is the following:
// backtrace
char cmd[1024];
snprintf (cmd, 1024,
"echo -e \"set prompt\nthread apply all bt full\n"
"echo \\\\\\n\necho \\\\\\n\nbt\nquit\" > /tmp/gdb.tmp;"
"gdb -q %s %i < /tmp/gdb.tmp | "
"grep -v \"No symbol table\" | "
"tee %s/compiz_crash-%i.out; rm -f /tmp/gdb.tmp; "
"echo \"\n[CRASH_HANDLER]: "
"\\\"%s/compiz_crash-%i.out\\\" created!\n\"",
programName, getpid (), crashhandlerGetDirectory (cDisplay),
getpid (), crashhandlerGetDirectory (cDisplay), getpid () );
system (cmd);
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor-profiles/+bug/835525/+subscriptions
More information about the AppArmor
mailing list