I notified SuSE GmbH several weeks ago about this problem, but didn't get any response, therefore this post to Bugtraq. With SuSE Linux 6.1 there are still a few programs around which blindly create files in /tmp regardless of whether a symlink or something similarly evil already exists in that place. Among these programs are 'man'and 'dvips'. Though it seems to be impossible by now to overwrite /etc/passwd with a plain simple /tmp/zman01234aaa symlink (didn't check if the source is race-condition free, though), one can still create arbitrary files which do funny things. Example: perl -e 'for($i=1000;$i<5000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}' -- regards, tfat_private-muenchen.de (o_ Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\ (lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_ (if (= x 0) y (g g (- x 1) (* x y)))) n 1))
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:03 PDT