From owner-freebsd-bugs  Sat Mar  4  1:50: 7 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id A975A37B7AC
	for <freebsd-bugs@FreeBSD.org>; Sat,  4 Mar 2000 01:50:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id BAA17652;
	Sat, 4 Mar 2000 01:50:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from rivendell.apana.org.au (rivendell.apana.org.au [203.3.126.17])
	by hub.freebsd.org (Postfix) with ESMTP id D06CE37B586
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  4 Mar 2000 01:44:34 -0800 (PST)
	(envelope-from phil@rivendell.apana.org.au)
Received: (from phil@localhost)
	by rivendell.apana.org.au (8.9.3/8.9.3) id TAA45571;
	Sat, 4 Mar 2000 19:44:21 +1000 (EST)
	(envelope-from phil)
Message-Id: <200003040944.TAA45571@rivendell.apana.org.au>
Date: Sat, 4 Mar 2000 19:44:21 +1000 (EST)
From: Phil Homewood <phil@rivendell.apana.org.au>
Reply-To: phil@rivendell.apana.org.au
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         17175
>Category:       gnu
>Synopsis:       [PATCH] send-pr predictable tempfile vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar  4 01:50:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Phil Homewood
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
>Environment:

     $FreeBSD: src/gnu/usr.bin/send-pr/send-pr.sh,v 1.9.2.3 1999/08/29 14:35:18 peter Exp $

>Description:

	send-pr overwrites files named after (predictable) PIDs
	in /tmp, following symlinks. The exploits are obvious.

>How-To-Repeat:

	Create lots of symlinks from /tmp/p$$ to something
	interesting. Run send-pr, or wait for your victim to do
	so. Observe target file now containing victim's name.

>Fix:
	
	Workaround: set TMPDIR to something safe before invoking
	send-pr.

	Fix:

--- src/gnu/usr.bin/send-pr/send-pr.sh.orig	Sat Sep  4 06:06:55 1999
+++ src/gnu/usr.bin/send-pr/send-pr.sh	Sat Mar  4 19:33:22 2000
@@ -73,11 +73,9 @@
 
 #
 
-[ -z "$TMPDIR" ] && TMPDIR=/tmp
-
-TEMP=$TMPDIR/p$$
-BAD=$TMPDIR/pbad$$
-REF=$TMPDIR/pf$$
+TEMP=`mktemp -t send-pr.p` || exit 1
+BAD=`mktemp -t send-pr.pbad` || exit 1
+REF=`mktemp -t send-pr.pf` || exit 1
 
 if [ -z "$LOGNAME" -a -n "$USER" ]; then
   LOGNAME=$USER




	Additional note: Do not edit /usr/bin/send-pr while sending
	a PR. You will lose all your hard work when you exit.

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message