I notified SuSE GmbH several weeks ago about this problem, but didn't get
any response, therefore this post to Bugtraq.
With SuSE Linux 6.1 there are still a few programs around which blindly
create files in /tmp regardless of whether a symlink or something
similarly evil already exists in that place. Among these programs are
'man'and 'dvips'.
Though it seems to be impossible by now to overwrite /etc/passwd with a
plain simple /tmp/zman01234aaa symlink (didn't check if the source is
race-condition free, though), one can still create arbitrary
files which do funny things. Example:
perl -e 'for($i=1000;$i<5000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'
--
regards, tfat_private-muenchen.de (o_
Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:03 PDT