Reporter Larry W. Cashdollar
`Gambas Directory hijack vulnerability
The gambas software package creates a directory in tmp to work from without verifying another user hasn't already created it. This allows a local user to hijack ownership.
Describe the problem.
Gambas creates a directory in /tmp called gambas.UID where UID is the user id of the person running the software. Gambas doesn't check to see if a malicious user has already created that directory.
A malicious user can then manipulate (mv or remove) that directory once gambas has created files under it.
larry@aliquot:/tmp$ mkdir gambas.0
larry@aliquot:/tmp$ ls -ld gambas.0
drwxr-xr-x 2 larry staff 4096 2012-12-13 16:37 gambas.0 larry@aliquot:/tmp$ cd gambas.0
larry@aliquot:/tmp/gambas.0$ ls -l
drwx------ 2 root root 4096 2012-12-13 16:37 25257 larry@aliquot:/tmp/gambas.0$ rm -rf 25257 larry@aliquot:/tmp/gambas.0$
User larry was able to remove the directory gambas created as root.
2) GIVE THE FOLLOWING INFORMATIONS (if they are appropriate):
Operating system: Linux
GUI component: QT3 / QT4 / GTK+
Desktop used: Gnome
3) Provide a little project that reproduces the bug or the crash.
ubuntu-builder runs as root
4) If your project needs a database, try to provide it, or part of it.
5) Explain clearly how to reproduce the bug or the crash.
6) By doing that carefully, you have done 50% of the bug fix job!
IMPORTANT NOTE: if you encounter several different problems or bugs, (for example, a bug in your project, and an interpreter crash while debugging it), please create distinct issues!
See bug posted here for details and fix from vendor:
@_larry0 Larry W. Cashdollar