Title: Musicqueue SIGSEGV Signal Handler Insecure File Creation Vulnerability
Severity: MODERATE
Description:
Musicqueue is a CGI-based jukebox utility designed to invoke external programs to carry out a variety of tasks. Musicqueue is available for the Linux operating system. This program includes a make suid installation option, which will install the utility with suid and sgid privileges of the installing user.
When the Musicqueue utility is invoked, the crash() function is registered as the handling procedure for any generated SIGSEGV signals. The functions sole functionality is calling the gcgiSaveEnvVariables() library function, which takes a single argument that is the name of a temporary file. The CGI environment variable data of the program that encountered the segmentation violation is then stored within this file.
It has been discovered that the crash() signal handler incorrectly passes the aforementioned library function a predictable filename for the storage of environment information, specifically "/tmp/musicqueue.crash". As a result, when handling a SIGSEGV signals, Musicqueue may be prone to symbolic link attacks.
Due to the potentially attacker-controllable data contained within environment variables, it is believed to be trivial for an attacker to elevated privileges to those of the owner or group of the executable. On some installations, this may effectively result in root compromise.
This vulnerability is said to affect Musicqueue 1.2.0, however earlier versions may also be affected.
Affected Products:
- Musicqueue Musicqueue 1.2.0
References:
- Musicqueue: Musicqueue Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
