FS#61842 - [ghc-libs] use of predictable /tmp file names in alpm hooks
Attached to Project:
Community Packages
Opened by Julian Brost (julian) - Saturday, 23 February 2019, 17:46 GMT
Last edited by Felix Yan (felixonmars) - Sunday, 13 September 2020, 20:59 GMT
Opened by Julian Brost (julian) - Saturday, 23 February 2019, 17:46 GMT
Last edited by Felix Yan (felixonmars) - Sunday, 13 September 2020, 20:59 GMT
|
Details
Description:
The alpm hooks installed in /usr/share/libalpm/hooks/ghc-register.hook and /usr/share/libalpm/hooks/ghc-unregister.hook use `>>/tmp/haskell-register.log` to redirect output to a file in /tmp that has a predictable name. While I think this is not a security issue thanks to the fs.protected_symlinks=1 sysctl being set by default, this could still prevent the correct installation of packages if this file already exists as a symlink owned by another user. Additional info: * package version(s): 8.6.3-1 Steps to reproduce: * Run `ln -s /foobar /tmp/haskell-register.log` as a non-root user * Install any haskell-* package that contains a /usr/share/haskell/register/*.sh file (1/1) Unregistering Haskell modules... /bin/sh: /tmp/haskell-register.log: Permission denied error: command failed to execute correctly |
This task depends upon
Closed by Felix Yan (felixonmars)
Sunday, 13 September 2020, 20:59 GMT
Reason for closing: Fixed
Additional comments about closing: 8.10.1-1
Sunday, 13 September 2020, 20:59 GMT
Reason for closing: Fixed
Additional comments about closing: 8.10.1-1
PS: at the very minimum this is still a local denial of service if you create a fifo file because a pacman upgrade will lockup forever when trying to write into it.
[1] https://github.com/archlinux/svntogit-community/commit/f0f6b818afe04dc8069c1620a2a184311258798e