Date: Wed, 23 Feb 2000 20:20:35 GMT From: Colin Phipps <crp22@cam.ac.uk> To: FreeBSD-gnats-submit@freebsd.org Subject: gnu/16942: send-pr(1) creates unsafe temp files Message-ID: <200002232020.UAA03039@crp22.trin.cam.ac.uk>
next in thread | raw e-mail | index | archive | help
>Number: 16942
>Category: gnu
>Synopsis: send-pr(1) creates unsafe temp files
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Feb 23 12:30:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Colin Phipps
>Release: FreeBSD 4.0-CURRENT i386
>Organization:
n/a
>Environment:
FreeBSD 4.0-CURRENT as of 2000/02/22
>Description:
send-pr(1) creates a number of temporary files, in /tmp by default, for
holding the bug report while it's parsed and edited, and various other
tasks. These temporary files are opened unsafely with predictable filenames,
making send-pr vulnerable to a symlink attack.
>How-To-Repeat:
See description.
>Fix:
Use mktemp(1):
*** /usr/bin/send-pr Tue Feb 22 11:54:39 2000
--- ./send-pr Wed Feb 23 19:43:16 2000
***************
*** 73,84 ****
#
- [ -z "$TMPDIR" ] && TMPDIR=/tmp
-
- TEMP=$TMPDIR/p$$
- BAD=$TMPDIR/pbad$$
- REF=$TMPDIR/pf$$
-
if [ -z "$LOGNAME" -a -n "$USER" ]; then
LOGNAME=$USER
fi
--- 73,78 ----
***************
*** 93,111 ****
ORIGINATOR="`sed -e '1q' $HOME/.fullname`"
elif [ -f /bin/domainname ]; then
if [ "`/bin/domainname`" != "" -a -f /usr/bin/ypcat ]; then
# Must use temp file due to incompatibilities in quoting behavior
# and to protect shell metacharacters in the expansion of $LOGNAME
/usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
! cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
! ORIGINATOR="`cat $TEMP`"
! rm -f $TEMP
fi
fi
if [ "$ORIGINATOR" = "" ]; then
! grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
! ORIGINATOR="`cat $TEMP`"
! rm -f $TEMP
fi
if [ -n "$ORGANIZATION" ]; then
--- 87,107 ----
ORIGINATOR="`sed -e '1q' $HOME/.fullname`"
elif [ -f /bin/domainname ]; then
if [ "`/bin/domainname`" != "" -a -f /usr/bin/ypcat ]; then
+ PTEMP=`mktemp -t pt` || exit 1
# Must use temp file due to incompatibilities in quoting behavior
# and to protect shell metacharacters in the expansion of $LOGNAME
/usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
! cut -f5 -d':' | sed -e 's/,.*//' > $PTEMP
! ORIGINATOR="`cat $PTEMP`"
! rm -f $PTEMP
fi
fi
if [ "$ORIGINATOR" = "" ]; then
! PTEMP=`mktemp -t pt` || exit 1
! grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $PTEMP
! ORIGINATOR="`cat $PTEMP`"
! rm -f $PTEMP
fi
if [ -n "$ORGANIZATION" ]; then
***************
*** 251,256 ****
--- 247,255 ----
HOW_TO_REPEAT_C='<Code/input/activities to reproduce the problem (multiple lines)>'
FIX_C=''
+ # Create temporary files, safely
+ REF=`mktemp -t pf` || exit 1
+ TEMP=`mktemp -t pf` || exit 1
# Catch some signals. ($xs kludge needed by Sun /bin/sh)
xs=0
trap 'rm -f $REF $TEMP; exit $xs' 0
***************
*** 482,487 ****
--- 481,487 ----
case "$input" in
a*)
if [ -z "$BATCH" ]; then
+ BAD=`mktemp -t pbad`
echo "$COMMAND: the problem report remains in $BAD and is not sent."
mv $TEMP $BAD
else
***************
*** 542,547 ****
--- 542,548 ----
else
echo "$COMMAND: mysterious mail failure."
if [ -z "$BATCH" ]; then
+ BAD=`mktemp -t pbad`
echo "$COMMAND: the problem report remains in $BAD and is not sent."
mv $REF $BAD
else
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002232020.UAA03039>