12844 – geoip possibly security issue with symlink attacks due to predictable tmp filenames in cron job

Bug 12844 - geoip possibly security issue with symlink attacks due to predictable tmp filenames in cron job

Summary: geoip possibly security issue with symlink attacks due to predictable tmp fil...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-21 19:06 CET by David Walser
Modified:	2014-11-28 09:31 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	geoip-1.5.1-3.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Comment 2 Dan Fandrich 2014-04-17 17:21:31 CEST

This is definitely a security issue. Anyone can DOS a system with a simple "ln -s /etc/passwd /tmp/GeoIP.dat.gz and waiting for the first of the month.

CC: (none) => dan

Comment 3 David Walser 2014-11-27 15:56:48 CET

Closing due to Mageia 3 EOL:
http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 4 Dan Fandrich 2014-11-27 21:55:22 CET

This is still an issue in mga4.

Status: RESOLVED => REOPENED
Version: 3 => 4
Resolution: OLD => (none)

Comment 5 David Walser 2014-11-27 21:58:29 CET

No it isn't, due to symlink protection in the kernel.  Those kinds of issues are no longer security concerns as of Mageia 4.

Status: REOPENED => RESOLVED
Version: 4 => 3
Resolution: (none) => OLD

Comment 6 Dan Fandrich 2014-11-27 22:19:55 CET

That's great to know! I tested it and it does fix this issue.

Version: 3 => 4
Resolution: OLD => FIXED

Oden Eriksson 2014-11-28 09:31:07 CET

CC: (none) => oe

Note You need to log in before you can comment on or make changes to this bug.