[Bug 642855] Re: Insecure use of temp files

Steve Langasek 642855 at bugs.launchpad.net
Thu Oct 14 05:34:41 UTC 2021 

The Precise Pangolin has reached end of life, so this bug will not be
fixed for that release

** Changed in: flash-kernel (Ubuntu Precise)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to flash-kernel in Ubuntu.
https://bugs.launchpad.net/bugs/642855

Title:
  Insecure use of temp files

Status in flash-kernel package in Ubuntu:
  Fix Released
Status in flash-kernel source package in Lucid:
  Won't Fix
Status in flash-kernel source package in Natty:
  Won't Fix
Status in flash-kernel source package in Oneiric:
  Won't Fix
Status in flash-kernel source package in Precise:
  Won't Fix
Status in flash-kernel source package in Quantal:
  Fix Released

Bug description:
  Binary package hint: flash-kernel

          Hi folks

  While reviewing a recent patch in Debian #596889, I noticed that
  flash-kernel already had other instances of this apparently insecure
  construct:

  > +             tmp=$(tempfile) 
  > +             cat $kfile >> $tmp
  > +             mkimage -A arm -O linux -T kernel -C none -a 0x60008000 \
  > +                     -e 0x60008000 -n "Linaro Kernel" -d $tmp $tmp.uboot \
  > +                     >&2 1>/dev/null

  mkimage takes the kernel from $tmp and writes it to its first arg,
  $tmp.uboot.  There is a window where an attacker can create a
  tmp.uboot symlink pointing to a file of his choice making this a
  probably low priority local denial of service vulnerability.  Note
  that flash-kernel is called for each kernel upgrade and runs as root
  to install the new kernel.

  I checked flash-kernel 1.6 and it doesn't call mkimage but is affected
  by a different type of tempfile abuse:

                  tmp=$(tempfile)
                  printf "Flashing kernel: " >&2
                  (
                          sercomm_header $(expr $kfilesize + 16)
                          dd if=$kfile of=$tmp bs=$ksize1 count=1 2>/dev/null
                          nslu2_swap $tmp
                          sercomm_header 131072
                          dd if=$kfile of=$tmp ibs=$ksize1 skip=1 2>/dev/null
                          nslu2_swap $tmp
                          rm -f $tmp
                  ) > "$kmtd" || error "failed."
                  echo "done." >&2
                  printf "Flashing initramfs: " >&2
                  dd if=$ifile of=$tmp ibs=$(($imtdsize - 16)) conv=sync 2>/dev/null

  Note how the tempfile is created, truncated by dd, truncated by dd a
  second time, removed, and then created again in this last dd call I
  quoted above.

     Cheers,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flash-kernel/+bug/642855/+subscriptions

More information about the foundations-bugs mailing list