(no subject)



> The Helix installer contains multiple locally exploitable
> vulnerabilities.
>
> 1.	Several of the gdmify functions are vulnerable to attack because
>	they use system and /tmp in unsafe manners

These have been fixed in new versions of the installer and updater
(0.6) released tonight.

> 2.	The downloader tries to use a /tmp/helix_install directory, which
> 	at first seems a good idea.
>	In other words, if I get there first and create a mode 777
> directory 
>	the Helix user may end up installing arbitarily modified packages 
>	from a local attacker.

This has been fixed in the same version.

> 3.	When the user quits the updater the updating code on the version 
> 	inspected attempts to delete the files in the download directory.
> 	Unfortunately due to an elementary coding error it deletes each
> file
> 	in the download directory with a corresponding file in /var/tmp

This was fixed rather quickly in 0.3.

> There are other potential holes in the check_rpm code but these depend
> on the XML database file fetched from helixcode.com being
> compromised. It would appear possible to create a remote exploit based
> on DNS spoofing to feed such a tampered XML file to the Installer but
> this would be an extremely tricky stunt and has not been attempted.

This was also fixed in an older version of the installer.

Security advisories were sent out this evening to BugTraq and our updates
lists. I don't have them up on the web page yet, but you can read them
here:

http://lists.helixcode.com/archives/public/beta/2000-August/001331.html
http://lists.helixcode.com/archives/public/beta/2000-August/001332.html

Joe






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]