find: Security Considerations for locate
1
1 11.4 Security Considerations for 'locate'
1 =========================================
1
1 11.4.1 Race Conditions
1 ----------------------
1
1 It is fairly unusual for the output of 'locate' to be fed into another
1 command. However, if this were to be done, this would raise the same
1 set of security issues as the use of 'find ... -print'. Although the
1 problems relating to whitespace in file names can be resolved by using
1 'locate''s '-0' option, this still leaves the race condition problems
1 associated with 'find ... -print0'. There is no way to avoid these
1 problems in the case of 'locate'.
1
1 11.4.2 Long File Name Bugs with Old-Format Databases
1 ----------------------------------------------------
1
1 Old versions of 'locate' have a bug in the way that old-format databases
1 are read. This bug affects the following versions of 'locate':
1
1 1. All releases prior to 4.2.31
1 2. All 4.3.x releases prior to 4.3.7
1
1 The affected versions of 'locate' read file names into a fixed-length
1 1026 byte buffer, allocated on the heap. This buffer is not extended if
1 file names are too long to fit into the buffer. No range checking on
1 the length of the filename is performed. This could in theory lead to a
1 privilege escalation attack. Findutils versions 4.3.0 to 4.3.6 are also
1 affected.
1
1 On systems using the old database format and affected versions of
1 'locate', carefully-chosen long file names could in theory allow
1 malicious users to run code of their choice as any user invoking locate.
1
1 If remote users can choose the names of files stored on your system,
1 and these files are indexed by 'updatedb', this may be a remote security
1 vulnerability. Findutils version 4.2.31 and findutils version 4.3.7
1 include fixes for this problem. The 'updatedb', 'bigram' and 'code'
1 programs do no appear to be affected.
1
1 If you are also using GNU coreutils, you can use the following
1 command to determine the length of the longest file name on a given
1 system:
1
1 find / -print0 | tr -c '\0' 'x' | tr '\0' '\n' | wc -L
1
1 Although this problem is significant, the old database format is not
1 the default, and use of the old database format is not common. Most
1 installations and most users will not be affected by this problem.
1