native-client icon indicating copy to clipboard operation
native-client copied to clipboard
verified publisher icon andy-portmen

Security vulnerability: fixed path in o=rwx directory in .deb

Open AJCxZ0 opened this issue 5 years ago • 6 comments

The preinst and postinst files indicate the use of a fixed path in a world-writable directory and likely vulnerability to a symlink attack. Use of mktemp(1) is strongly recommended.

I have not tested the .deb install.

No Security policy, so reporting here.

AJCxZ0 avatar Oct 26 '20 18:10 AJCxZ0

We need a temporary place to copy the installer files during the deb generation. How about the new /opt/native-client/

andy-portmen avatar Oct 27 '20 08:10 andy-portmen

No, /opt is not an appropriate location for temporary files. /tmp is the correct location, however the problem is using a known fixed path in that directory. See e.g. CAPEC-132. This is trivially fixed by using mktemp(1).

AJCxZ0 avatar Oct 27 '20 16:10 AJCxZ0

We need a temporary directory that is generated during the package creation to keep the installation files. So we cannot use mktemp. see https://github.com/andy-portmen/native-client/blob/master/prepare.sh#L14

andy-portmen avatar Oct 27 '20 21:10 andy-portmen

@AJCxZ0 How about /usr/share/native-client/? https://github.com/andy-portmen/native-client/commit/56076588cf55c7eb151734fb2ab1ce5027da7053

andy-portmen avatar Nov 03 '20 13:11 andy-portmen

No, /usr/share is also the wrong place for temporary files. The Filesystem Hierarchy Standard describes the purpose of the various directories and local implimentation is described in hier(7). If, for reasons which are remain unclear to me, you cannot use mktemp(1), then assuming derived names are similarly problematic, the old fashioned method is to start by testing for the existence of an unlikely fixed path, e.g. /tmp/native-client.l2MdGdgVstpt7XGZKmr7JOxXmQn, and test for its existence. If it exists and you cannot remove it, then error and exit, else create it with a suitably restricted mode such as 700, use and remove it.

The real question of how to properly build the package, but my experience of packaging on Debian is too little and too old give a useful and authoritative answer or recognise one with sufficient confidence to recommend it.

AJCxZ0 avatar Nov 04 '20 01:11 AJCxZ0

If, for reasons which are remain unclear to me, you cannot use mktemp(1)

We have a NodeJS executable and a few JS files that are supposed to place browser specific files inside the home directory. I need to place them inside the package and somehow have access to them to run the installer. I tried to place them inside the "DEBIAN" directory, but I couldn't find a way to have access to them during the installation. The mktemp works fine if you need a temp directory just during the installation.

andy-portmen avatar Nov 04 '20 05:11 andy-portmen