linux, säkerhet

5685048 2000-11-04 14:27 -0800  /84 rader/ Kris Kennaway <kris@FREEBSD.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-06  08:59  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@FREEBSD.ORG
Mottagare: Bugtraq (import) <13601>
Kommentar till text 5655168 av proton <proton@ENERGYMECH.NET>
Ärende: Re: tcsh: unsafe tempfile in << redirects
------------------------------------------------------------
On Sun, Oct 29, 2000 at 04:43:35AM +0000, proton wrote:

> VULNERABLE VERSIONS:
> 
> 6.07.02 (Astron) 1996-10-27
> 6.08.00 (Astron) 1998-10-02
> 6.09.00 (Astron) 1999-08-16 (latest)

This was fixed in the tcsh CVS repo with the following patch. I would
have just used mkstemp() myself, but it seems okay.

Kris

Index: sh.dol.c
===================================================================
RCS file: /mnt/ncvs/src/contrib/tcsh/sh.dol.c,v
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3.2.1 sh.dol.c
--- sh.dol.c	2000/06/10 22:25:57	1.1.1.3.2.1
+++ sh.dol.c	2000/11/04 22:23:29
@@ -1,4 +1,4 @@
-/* $Header: /src/pub/tcsh/sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $ */
+/* $Header: /src/pub/tcsh/sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $ */
 /*
  * sh.dol.c: Variable substitutions
  */
@@ -36,7 +36,7 @@
  */
 #include "sh.h"
 
-RCSID("$Id: sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $")
+RCSID("$Id: sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $")
 
 /*
  * C shell
@@ -1017,7 +1017,7 @@
 heredoc(term)
     Char   *term;
 {
-    register int c;
+    int c;
     Char   *Dv[2];
     Char    obuf[BUFSIZE], lbuf[BUFSIZE], mbuf[BUFSIZE];
     int     ocnt, lcnt, mcnt;
@@ -1025,7 +1025,9 @@
     Char  **vp;
     bool    quoted;
     char   *tmp;
+    struct timeval tv;
 
+again:
     tmp = short2str(shtemp);
 #ifndef O_CREAT
 # define O_CREAT 0
@@ -1036,12 +1038,22 @@
 #ifndef O_TEMPORARY
 # define O_TEMPORARY 0
 #endif
-    if (open(tmp, O_RDWR|O_CREAT|O_TEMPORARY) < 0) {
-	int     oerrno = errno;
-
+#ifndef O_EXCL
+# define O_EXCL 0
+#endif
+    if (open(tmp, O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY) == -1) {
+	int oerrno = errno;
+	if (errno == EEXIST) {
+	    if (unlink(tmp) == -1) {
+		(void) gettimeofday(&tv, NULL);
+		shtemp = Strspl(STRtmpsh, putn((((int)tv.tv_sec) ^ 
+		    ((int)tv.tv_usec) ^ ((int)doldol)) & 0x00ffffff));
+	    }
+	    goto again;
+	}
 	(void) unlink(tmp);
 	errno = oerrno;
-	stderror(ERR_SYSTEM, tmp, strerror(errno));
+ 	stderror(ERR_SYSTEM, tmp, strerror(errno));
     }
     (void) unlink(tmp);		/* 0 0 inode! */
     Dv[0] = term;
(5685048) ------------------------------------------
Bilaga (application/pgp-signature) i text 5685049

5685049 2000-11-04 14:27 -0800  /10 rader/ Kris Kennaway <kris@FREEBSD.ORG>
Importerad: 2000-11-06  08:59  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@FREEBSD.ORG
Mottagare: Bugtraq (import) <13602>
Bilaga (text/plain) till text 5685048
Ärende: Bilaga till: Re: tcsh: unsafe tempfile in << redirects
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjoEjVYACgkQWry0BWjoQKUsJACfUC4/ef/F+dav06LiwDab49ZQ
NPEAoMf74NWxtdnCHeMEiE59pqK9gwmj
=+lwN
-----END PGP SIGNATURE-----
(5685049) ------------------------------------------