Security issue with usage of /tmp for caching ( CVE-2015-3649 ) #8
Comments
|
@tigris - What is the status of this issue? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This gem is susceptible to a attack of code execution due to its usage of fixed directory in /tmp and yaml without using safe_load. So since the name is predictible in the default configuration and no check are done on owner or permission.
So someone could create ahead of time a directory /tmp/openuri-$targetuid/ with 777 permissions, precreate directories for the host to contact ( or just wait until the directory is created and rename it, thanks to 777 permissions ) and with proper permissions, wait until a meta file is created, and
replace it with one containing ruby code to be executed when loaded by YAML.load, as it doesn't use safe loader for yaml
( http://www.benjaminfleischer.com/2013/03/20/yaml-and-security-in-ruby/ ).
See http://www.openwall.com/lists/oss-security/2015/05/05/14
and http://www.openwall.com/lists/oss-security/2015/05/06/2 for details.
The ID CVE-2015-3649 have been assigned to that issue.
There is various fixes. For one, using $XDG_RUNTIME_DIR when defined fix the issue on Linux systems. Verify the permissions of the meta file and the owner would also prevent the issue.
The text was updated successfully, but these errors were encountered: