Closed
Description
Libqb creates files in world-writable directories (/dev/shm, /tmp) with rather predictable file names (e.g. /dev/shm/qb-usbguard-request-7096-835-12-data in case of USBGuard). Also O_EXCL flag is not used when opening the files. This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).
At least O_EXCL flag should be used. I'd also use more complex logic where files are created with unpredictable names (also using O_TMPFILE) and then possibly renamed to match file naming convention (if the protocol does not allow completely random file names). I would not use files for IPC.
Metadata
Metadata
Assignees
Labels
No labels