/var/tmp/system-upgrade temporary directory creation vulnerability

[ghost]

Michael Scherer of Red Hat reports: While trying to upgrade my F19 to F20 using fedup, I noticed that it use a directory in /var/tmp/, with a fixed known name. cachedir = '/var/tmp/fedora-upgrade'

One note, in fedup 0.8.0 (F20) the directory is now /var/tmp/system-upgrade As per https://bugzilla.redhat.com/show_bug.cgi?id=1066679

Suggest you use Python mkdtemp():

http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

Thanks.

[wgwoods]

It's actually a download cache; everything that is downloaded there is verified - either by downloading via https (metadata) or checking GPG signatures (RPMs, boot images).

But, sure, I'll move it to /var/cache, which will "fix" this "vulnerability", I guess.

[ghost]

So this would allow an attacker to prevent updates from happening, allowing them to then exploit a known vuln after it should have been fixed ("upgrade freeze attack").

[wgwoods]

I'm sorry - what would do that?

Are you saying there's still a problem, or are you describing the previous bug, or have I introduced a new problem?

[ghost]

My point was this issue would allow a local user to prevent the system from being updated, hence why this issue is worth fixing (from a security perspective).