So I've recently been looking at proxy-server source code, for obvious reasons. The starting point was a simple search of the available options:
~$ apt-cache search proxy filter ... trafficserver - fast, scalable and extensible HTTP/1.1 compliant caching proxy server ssh-agent-filter - filtering proxy for ssh-agent
Hrm? trafficserver? That sounds like fun. Lets look at the source.
cd /tmp apt-get source trafficserver
Lots of code, but scanning it quickly with my favourite tool, grep, we find this "gem":
$ rgrep /tmp . ./mgmt/tools/SysAPI.cc: tmp = fopen("/tmp/shadow", "w"); ./mgmt/tools/SysAPI.cc: system("/bin/mv -f /tmp/shadow /etc/shadow");
Is that really what it looks like? Really? Sadly yes.
There's lots of abuse of /tmpfiles in the code in mgmt/tools/, and although the modular structure took a while to understand the code that is compiled here ultimately ends up being included in /usr/bin/traffic_shell. That means it is a "real" security issue, allowing race-tastic local-attackers to do bad things.
Bug reported as #749846.
I feel like I should write about auditing software, but equally I feel unqualified - better people than me have already done so, e.g. David Wheeler.
Also I've done it before, and nobody paid attention. (Or rather the poeple that should consider security frequently fail to do so, which is .. frustrating.)