Date: Sat, 4 Mar 2000 19:44:21 +1000 (EST) From: Phil Homewood <phil@rivendell.apana.org.au> To: FreeBSD-gnats-submit@freebsd.org Subject: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability Message-ID: <200003040944.TAA45571@rivendell.apana.org.au>
next in thread | raw e-mail | index | archive | help
>Number: 17175
>Category: gnu
>Synopsis: [PATCH] send-pr predictable tempfile vulnerability
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 4 01:50:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Phil Homewood
>Release: FreeBSD 3.4-STABLE i386
>Organization:
>Environment:
$FreeBSD: src/gnu/usr.bin/send-pr/send-pr.sh,v 1.9.2.3 1999/08/29 14:35:18 peter Exp $
>Description:
send-pr overwrites files named after (predictable) PIDs
in /tmp, following symlinks. The exploits are obvious.
>How-To-Repeat:
Create lots of symlinks from /tmp/p$$ to something
interesting. Run send-pr, or wait for your victim to do
so. Observe target file now containing victim's name.
>Fix:
Workaround: set TMPDIR to something safe before invoking
send-pr.
Fix:
--- src/gnu/usr.bin/send-pr/send-pr.sh.orig Sat Sep 4 06:06:55 1999
+++ src/gnu/usr.bin/send-pr/send-pr.sh Sat Mar 4 19:33:22 2000
@@ -73,11 +73,9 @@
#
-[ -z "$TMPDIR" ] && TMPDIR=/tmp
-
-TEMP=$TMPDIR/p$$
-BAD=$TMPDIR/pbad$$
-REF=$TMPDIR/pf$$
+TEMP=`mktemp -t send-pr.p` || exit 1
+BAD=`mktemp -t send-pr.pbad` || exit 1
+REF=`mktemp -t send-pr.pf` || exit 1
if [ -z "$LOGNAME" -a -n "$USER" ]; then
LOGNAME=$USER
Additional note: Do not edit /usr/bin/send-pr while sending
a PR. You will lose all your hard work when you exit.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003040944.TAA45571>