[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WP8 Security bug



http://linux.corel.com/linux8/linuxfix.htm

I don't understand this.  I can see that having 666 files in /tmp isn't
great.  But I checked my installed files and the binary isn't suid root, so
why should there be any major security problem, as long as you don't run wp
as root?

-rwxr-xr-x   1 root     root      8008636 Dec 17 22:00 xwp

> 
> When Corel WordPerfect 8 for Linux loads, it creates a directory called /tmp/wpc-<hostname> (where <hostname> is the host
> name of your computer) that has the UMASK 777. 
> 
> Some necessary temporary files are stored in this folder, all containing the UMASK 666. When Corel WordPerfect 8 for Linux
> loads, it checks to see that these files exist, and if so, it will overwrite them. 
> 
> However, Corel WordPerfect 8 for Linux doesn't check to see if these files have been replaced with sym-links of the same
> name. If this has been done (perhaps to compromise system security), Corel WordPerfect 8 for Linux will follow those
> sym-links and, if it has the rights to do so (which it will if you install the application as "root"), it will overwrite the file pointed
> to by the sym-link. This problem could be used to exploit a system. 

-- 
Itamar - itamars@ibm.net
-----------------------------o-------------------------------------o
Whole Pop Magazine Online    | The only good morning is a dead one |
 http://www.wholepop.com/    |          -- Richard Stallman        |