5685048 2000-11-04 14:27 -0800 /84 rader/ Kris Kennaway <kris@FREEBSD.ORG> Sänt av: joel@lysator.liu.se Importerad: 2000-11-06 08:59 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: kris@FREEBSD.ORG Mottagare: Bugtraq (import) <13601> Kommentar till text 5655168 av proton <proton@ENERGYMECH.NET> Ärende: Re: tcsh: unsafe tempfile in << redirects ------------------------------------------------------------ On Sun, Oct 29, 2000 at 04:43:35AM +0000, proton wrote: > VULNERABLE VERSIONS: > > 6.07.02 (Astron) 1996-10-27 > 6.08.00 (Astron) 1998-10-02 > 6.09.00 (Astron) 1999-08-16 (latest) This was fixed in the tcsh CVS repo with the following patch. I would have just used mkstemp() myself, but it seems okay. Kris Index: sh.dol.c =================================================================== RCS file: /mnt/ncvs/src/contrib/tcsh/sh.dol.c,v retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3.2.1 sh.dol.c --- sh.dol.c 2000/06/10 22:25:57 1.1.1.3.2.1 +++ sh.dol.c 2000/11/04 22:23:29 @@ -1,4 +1,4 @@ -/* $Header: /src/pub/tcsh/sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $ */ +/* $Header: /src/pub/tcsh/sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $ */ /* * sh.dol.c: Variable substitutions */ @@ -36,7 +36,7 @@ */ #include "sh.h" -RCSID("$Id: sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $") +RCSID("$Id: sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $") /* * C shell @@ -1017,7 +1017,7 @@ heredoc(term) Char *term; { - register int c; + int c; Char *Dv[2]; Char obuf[BUFSIZE], lbuf[BUFSIZE], mbuf[BUFSIZE]; int ocnt, lcnt, mcnt; @@ -1025,7 +1025,9 @@ Char **vp; bool quoted; char *tmp; + struct timeval tv; +again: tmp = short2str(shtemp); #ifndef O_CREAT # define O_CREAT 0 @@ -1036,12 +1038,22 @@ #ifndef O_TEMPORARY # define O_TEMPORARY 0 #endif - if (open(tmp, O_RDWR|O_CREAT|O_TEMPORARY) < 0) { - int oerrno = errno; - +#ifndef O_EXCL +# define O_EXCL 0 +#endif + if (open(tmp, O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY) == -1) { + int oerrno = errno; + if (errno == EEXIST) { + if (unlink(tmp) == -1) { + (void) gettimeofday(&tv, NULL); + shtemp = Strspl(STRtmpsh, putn((((int)tv.tv_sec) ^ + ((int)tv.tv_usec) ^ ((int)doldol)) & 0x00ffffff)); + } + goto again; + } (void) unlink(tmp); errno = oerrno; - stderror(ERR_SYSTEM, tmp, strerror(errno)); + stderror(ERR_SYSTEM, tmp, strerror(errno)); } (void) unlink(tmp); /* 0 0 inode! */ Dv[0] = term; (5685048) ------------------------------------------ Bilaga (application/pgp-signature) i text 5685049 5685049 2000-11-04 14:27 -0800 /10 rader/ Kris Kennaway <kris@FREEBSD.ORG> Importerad: 2000-11-06 08:59 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: kris@FREEBSD.ORG Mottagare: Bugtraq (import) <13602> Bilaga (text/plain) till text 5685048 Ärende: Bilaga till: Re: tcsh: unsafe tempfile in << redirects ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoEjVYACgkQWry0BWjoQKUsJACfUC4/ef/F+dav06LiwDab49ZQ NPEAoMf74NWxtdnCHeMEiE59pqK9gwmj =+lwN -----END PGP SIGNATURE----- (5685049) ------------------------------------------