rpm (RedHat Package Manager)


    RedHat Linux


    Nicolas Dubee found  following rpm vulnerability in RedHat  Linux.
    Vulnerability affects version 2.3.11 current (shipped with  RedHat
    Linux 4.2) older ones as well.  Problem are temporary files.

    RPM (Redhat  Package Manager)  has many  useful features.   One of
    these features is to  retrieve a file off  of the net and  install
    it all in one step.   When RPM is used this  way, the file RPM  is
    retrieving is temporarily stored in  /var/tmp.  The file mask  RPM
    uses  is  rpm-ftp-$no-$pid.tmp  whereas  $no  is the number of the
    package in the queue (0,1,2,...).

    Unfortunatly, rpm does  not properly check  if the temporary  file
    already exists, and will follow symlinks.  As rpm is often ran  by
    root, it  is then  possible to  overwrite any  file on the system,
    regardless of access permissions.


    RPM 2.4.6 is now available from
    It  includes  fixes  to  avoid  symlink attacks when creating /tmp
    files.  You may also apply the following temporary patch below  to
	url.c in the rpm source directory.

    <     fd = creat(dest, 0600);
    > //    fd = creat(dest, 0600);
    >    if(-1==(fd=open(dest,O_CREAT|O_EXCL|O_RDWR,0600)))
    >      {
    >       perror(dest);
    >       exit(1);
    >      }

    RedHat will fix this is in RPM 2.4.4. It touches a number of other
    places in RPM as well, mostly in the build code.