GNU Fileutils Directory Removal Race Condition Vulnerability

GNU Fileutils Directory Removal Race Condition Vulnerability

GNU fileutils is a freely available, open-source file manager. It is designed for use on Linux and other UNIX-like operating systems.

Under some circumstances, a local user may be able to remove the root directory of the system. Due to inadequate file locking and an insecure 'chdir' call, an attacker could move files from the '/tmp' directory into the root directory. The problem occurs with a directory tree that has several single subdirectories in '/tmp' when the root user tries to remove the directories recursively. If the root user tries to recursively remove the directory tree from '/tmp' and if the directory tree is writable by another user, then the user could move a high-level directory into '/tmp' after the 'rm' program has descended the tree. The 'rm' program would then ascend from the '/tmp' directory to the root directory, recursively removing the contents of the root directory.