can cause root user to remove arbitrary files

(This was reported to me by Tavis Ormandy.)

This is CVE-2012-0945

Uh, it's more serious than just files in / and /var/crash, you can delete any file on the filesystem with this. e.g.

$ mkdir '/var/crash/chicken monkey/'
$ touch /var/crash/chicken\ monkey/fling\ duck.uploaded
$ find /var/crash -name '*.uploaded' -type f -size 0 | sed 's,\(.*\).uploaded$,\1.upload \1.uploaded,'
/var/crash/chicken monkey/fling duck.upload /var/crash/chicken monkey/fling duck.uploaded

i.e. it will attempt to delete monkey/fling; obviously anything else can be substituted for monkey/fling, like say etc/shadow.

Any progress on this, Evan?

The command should handle files with embedded newlines, and shouldn't enter into subdirectories as that can be raced.

Normally, something like this could be used:

find /var/crash -mindepth 1 -maxdepth 1 -name '*.uploaded' -type f -size 0 -print0 | xargs -0 rm -rf

Attempting to use the additional sed in there is difficult, and I can't think of a way to do it properly right now.

How about just erasing whatever is old?

find /var/crash -mindepth 1 -maxdepth 1 -name '*.upload*' -type f -mtime +7 -print0 | xargs -0 rm -rf

In theory .uploaded files should always be newer than .upload files...so the job could in theory erase an .upload file without erasing the .uploaded file, which will then get erased the next day.

This bug was fixed in the package whoopsie-daisy - 0.1.26

---------------
whoopsie-daisy (0.1.26) precise; urgency=low

  * Take ownership of the NetworkManager state variant on setup and
    unref it, plugging a memory leak.
  * Log the reason the server rejected the submitted crash report.
  * Send the Whoopsie version with each crash submission.
  * Delete both .upload and .uploaded files after 14 days. Thanks
    Marc Deslauriers (LP: #973687).
 -- Evan Dandrea <email address hidden> Tue, 10 Apr 2012 14:28:58 +0100