From owner-freebsd-bugs  Wed Feb 23 12:30: 9 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id B559837B9D8
	for <freebsd-bugs@FreeBSD.org>; Wed, 23 Feb 2000 12:30:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id MAA14423;
	Wed, 23 Feb 2000 12:30:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from lilac.csi.cam.ac.uk (lilac.csi.cam.ac.uk [131.111.8.44])
	by hub.freebsd.org (Postfix) with ESMTP id 817EB37B91A
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 23 Feb 2000 12:20:33 -0800 (PST)
	(envelope-from crp22@cam.ac.uk)
Received: from crp22.trin.cam.ac.uk ([131.111.193.222] ident=root)
	by lilac.csi.cam.ac.uk with esmtp (Exim 3.13 #1)
	id 12NiGt-0003en-00
	for FreeBSD-gnats-submit@freebsd.org; Wed, 23 Feb 2000 20:20:31 +0000
Received: (from cph@localhost)
	by crp22.trin.cam.ac.uk (8.9.3/8.9.3) id UAA03039;
	Wed, 23 Feb 2000 20:20:35 GMT
	(envelope-from cph)
Message-Id: <200002232020.UAA03039@crp22.trin.cam.ac.uk>
Date: Wed, 23 Feb 2000 20:20:35 GMT
From: Colin Phipps <crp22@cam.ac.uk>
Reply-To: crp22@cam.ac.uk
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: gnu/16942: send-pr(1) creates unsafe temp files
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         16942
>Category:       gnu
>Synopsis:       send-pr(1) creates unsafe temp files
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 23 12:30:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Colin Phipps
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
n/a
>Environment:

FreeBSD 4.0-CURRENT as of 2000/02/22
 
>Description:

send-pr(1) creates a number of temporary files, in /tmp by default, for 
holding the bug report while it's parsed and edited, and various other 
tasks. These temporary files are opened unsafely with predictable filenames, 
making send-pr vulnerable to a symlink attack.

>How-To-Repeat:

See description.

>Fix:

Use mktemp(1):

*** /usr/bin/send-pr	Tue Feb 22 11:54:39 2000
--- ./send-pr	Wed Feb 23 19:43:16 2000
***************
*** 73,84 ****
  
  #
  
- [ -z "$TMPDIR" ] && TMPDIR=/tmp
- 
- TEMP=$TMPDIR/p$$
- BAD=$TMPDIR/pbad$$
- REF=$TMPDIR/pf$$
- 
  if [ -z "$LOGNAME" -a -n "$USER" ]; then
    LOGNAME=$USER
  fi
--- 73,78 ----
***************
*** 93,111 ****
    ORIGINATOR="`sed -e '1q' $HOME/.fullname`"
  elif [ -f /bin/domainname ]; then
    if [ "`/bin/domainname`" != "" -a -f /usr/bin/ypcat ]; then
      # Must use temp file due to incompatibilities in quoting behavior
      # and to protect shell metacharacters in the expansion of $LOGNAME
      /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
!       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
!     ORIGINATOR="`cat $TEMP`"
!     rm -f $TEMP
    fi
  fi
  
  if [ "$ORIGINATOR" = "" ]; then
!   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
!   ORIGINATOR="`cat $TEMP`"
!   rm -f $TEMP
  fi
  
  if [ -n "$ORGANIZATION" ]; then
--- 87,107 ----
    ORIGINATOR="`sed -e '1q' $HOME/.fullname`"
  elif [ -f /bin/domainname ]; then
    if [ "`/bin/domainname`" != "" -a -f /usr/bin/ypcat ]; then
+     PTEMP=`mktemp -t pt` || exit 1
      # Must use temp file due to incompatibilities in quoting behavior
      # and to protect shell metacharacters in the expansion of $LOGNAME
      /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
!       cut -f5 -d':' | sed -e 's/,.*//' > $PTEMP
!     ORIGINATOR="`cat $PTEMP`"
!     rm -f $PTEMP
    fi
  fi
  
  if [ "$ORIGINATOR" = "" ]; then
!   PTEMP=`mktemp -t pt` || exit 1
!   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $PTEMP
!   ORIGINATOR="`cat $PTEMP`"
!   rm -f $PTEMP
  fi
  
  if [ -n "$ORGANIZATION" ]; then
***************
*** 251,256 ****
--- 247,255 ----
  HOW_TO_REPEAT_C='<Code/input/activities to reproduce the problem (multiple lines)>'
  FIX_C=''
  
+ # Create temporary files, safely
+ REF=`mktemp -t pf` || exit 1
+ TEMP=`mktemp -t pf` || exit 1
  # Catch some signals. ($xs kludge needed by Sun /bin/sh)
  xs=0
  trap 'rm -f $REF $TEMP; exit $xs' 0
***************
*** 482,487 ****
--- 481,487 ----
      case "$input" in
        a*)
  	if [ -z "$BATCH" ]; then
+ 	  BAD=`mktemp -t pbad`
  	  echo "$COMMAND: the problem report remains in $BAD and is not sent."
  	  mv $TEMP $BAD
          else
***************
*** 542,547 ****
--- 542,548 ----
  else
    echo "$COMMAND: mysterious mail failure."
    if [ -z "$BATCH" ]; then
+     BAD=`mktemp -t pbad`
      echo "$COMMAND: the problem report remains in $BAD and is not sent."
      mv $REF $BAD
    else



>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message