Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>: Bug#302412; Package sharutils.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security
In unshar.c:
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file = fopen (name_buffer, "w+"), !file)
The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.
A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:
- This example in shar(1):
find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
- This example in the info file:
find . -type f -print | shar -S -o /tmp/big.shar
- This example in README.OLD:
e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
- This in contrib/shar.sh:
echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
echo 'cat > $temp <<\!!!'
...
echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
-- no debconf information
--
see shy jo
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
Date: Thu, 31 Mar 2005 10:08:15 -0800
Wrong assumption. It was announced on info-gnu. These new
issues will get faster action with a suggested patch :-).
Thanks - Bruce
Santiago Vila wrote:
>
> Hello.
>
> I received this from the Debian bug system:
>
> I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
> a separate directory, I assume it is not considered stable yet.
>
> ---------- Forwarded message ----------
> From: Joey Hess <joeyh@debian.org>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Date: Thu, 31 Mar 2005 06:51:57 -1000
> Subject: Bug#302412: exploitable temporary file race in unshar
>
> Package: sharutils
> Version: 1:4.2.1-11
> Severity: grave
Since sharutils is still barely on life support, perhaps it is not
quite yet in the grave....;)
> Tags: security
>
> In unshar.c:
>
> sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
> unlink (name_buffer);
>
> if (file = fopen (name_buffer, "w+"), !file)
>
> The unlink makes it difficult, but surely not impossible to race unshar,
> when it is run on stdin, and cause it to fopen a symlink that points at
> an arbitrary file, which will then be replaced with the contents of the
> shell archive.
>
> A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
> include:
>
> - This example in shar(1):
>
> find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
>
> - This example in the info file:
>
> find . -type f -print | shar -S -o /tmp/big.shar
>
> - This example in README.OLD:
>
> e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
>
> - This in contrib/shar.sh:
>
> echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
> echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
> echo 'cat > $temp <<\!!!'
> ...
> echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
>
> -- System Information:
> Debian Release: 3.1
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.27
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>
> Versions of packages sharutils depends on:
> ii debianutils 2.13.2 Miscellaneous utilities specific t
> ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
Subject: Bug#302412: exploitable temporary file race in unshar (fwd)
Date: Thu, 31 Mar 2005 19:36:02 +0200 (CEST)
Hello.
I received this from the Debian bug system:
I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
a separate directory, I assume it is not considered stable yet.
---------- Forwarded message ----------
From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Date: Thu, 31 Mar 2005 06:51:57 -1000
Subject: Bug#302412: exploitable temporary file race in unshar
Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security
In unshar.c:
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file = fopen (name_buffer, "w+"), !file)
The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.
A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:
- This example in shar(1):
find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
- This example in the info file:
find . -type f -print | shar -S -o /tmp/big.shar
- This example in README.OLD:
e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
- This in contrib/shar.sh:
echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
echo 'cat > $temp <<\!!!'
...
echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
-- no debconf information
--
see shy jo
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>: Bug#302412; Package sharutils.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
Date: Fri, 1 Apr 2005 03:30:05 +0200 (CEST)
On Thu, 31 Mar 2005, Bruce Korb wrote:
> Wrong assumption. It was announced on info-gnu.
May I suggest that sharutils 4.3.77 and 4.3.78 are not put in directories
named "4.3.77" and "REL-4.3.78", then? The current layout is a little
bit misleading.
> These new issues will get faster action with a suggested patch :-).
Ok, here is a patch that maybe you can accept:
diff -ru sharutils-4.2.1.orig/src/unshar.c sharutils-4.2.1/src/unshar.c
--- sharutils-4.2.1.orig/src/unshar.c 2005-04-01 03:04:23.982932000 +0200
+++ sharutils-4.2.1/src/unshar.c 2005-04-01 03:10:59.278838528 +0200
@@ -426,13 +426,15 @@
}
else
{
+#ifdef __MSDOS__
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file = fopen (name_buffer, "w+"), !file)
error (EXIT_FAILURE, errno, name_buffer);
-#ifndef __MSDOS__
- unlink (name_buffer); /* will be deleted on fclose */
+#else
+ if (file = tmpfile(), !file)
+ error (EXIT_FAILURE, errno, "tmpfile");
#endif
while (size_read = fread (copy_buffer, 1, sizeof (copy_buffer), stdin),
This patch tries not to break the MSDOS stuff. For Unix, there is no
need to unlink the file (the tmpfile function already does this), not
to mention we don't even know the name of the file, so we have to
change the error message a little bit to not reference name_buffer,
since it does not have any useful value.
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>: Bug#302412; Package sharutils.
(full text, mbox, link).
Acknowledgement sent to Bruce Korb <bruce.korb@gmail.com>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Cc: Santiago Vila <sanvila@unex.es>,
bkorb@gnu.org,
Joey Hess <joeyh@debian.org>,
302412@bugs.debian.org
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
Date: Fri, 1 Apr 2005 09:00:28 -0800
On Thursday 31 March 2005 05:30 pm, Santiago Vila wrote:
> On Thu, 31 Mar 2005, Bruce Korb wrote:
>
> > Wrong assumption. It was announced on info-gnu.
>
> May I suggest that sharutils 4.3.77 and 4.3.78 are not put in directories
> named "4.3.77" and "REL-4.3.78", then? The current layout is a little
> bit misleading.
The first was a typo that I didn't notice until my script was already running.
It is my intention to release in REL-xxxxx subdirectories. It reduces clutter.
> > These new issues will get faster action with a suggested patch :-).
>
> Ok, here is a patch that maybe you can accept:
Looks fine to me. It may be a couple of weeks tho, taxes and my day job
take priority. :)
> This patch tries not to break the MSDOS stuff.
Thanks. I tend to forget that MSDOS exists.... ;)
Regards, Bruce
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>: Bug#302412; Package sharutils.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
Date: Fri, 1 Apr 2005 19:28:56 +0200 (CEST)
On Fri, 1 Apr 2005, Bruce Korb wrote:
> On Thursday 31 March 2005 05:30 pm, Santiago Vila wrote:
> > Ok, here is a patch that maybe you can accept:
>
> Looks fine to me. It may be a couple of weeks tho, taxes and my day job
> take priority. :)
Ok. For completeness, I'm also going to change /tmp/foo to /somewhere/foo
in both the manpage and the texinfo file, since those are included in
the Debian binary package. Please remember to rewrite README.OLD and
contrib/shar.sh appropriately for release 4.3.79.
Thanks.
Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#302412: fixed in sharutils 1:4.2.1-13
Date: Fri, 01 Apr 2005 13:17:40 -0500
Source: sharutils
Source-Version: 1:4.2.1-13
We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive:
sharutils-doc_4.2.1-13_all.deb
to pool/main/s/sharutils/sharutils-doc_4.2.1-13_all.deb
sharutils_4.2.1-13.diff.gz
to pool/main/s/sharutils/sharutils_4.2.1-13.diff.gz
sharutils_4.2.1-13.dsc
to pool/main/s/sharutils/sharutils_4.2.1-13.dsc
sharutils_4.2.1-13_i386.deb
to pool/main/s/sharutils/sharutils_4.2.1-13_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 302412@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated sharutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 1 Apr 2005 19:57:40 +0200
Source: sharutils
Binary: sharutils-doc sharutils
Architecture: source i386 all
Version: 1:4.2.1-13
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
sharutils - shar, unshar, uuencode, uudecode
sharutils-doc - Documentation for GNU sharutils
Closes: 302412
Changes:
sharutils (1:4.2.1-13) unstable; urgency=medium
.
* Fixed insecure temporary file creation in unshar (Closes: #302412).
Changed also texinfo and shar(1) examples to read /somewhere/foo
instead of /tmp/foo. Reported by Joey Hess.
Files:
70e24dfeee9fbd9702dd5291444bf7a6 616 utils standard sharutils_4.2.1-13.dsc
b0fd598dffd23e0d77a910a50a37ac93 8304 utils standard sharutils_4.2.1-13.diff.gz
bda14234eb1b418d42184cf3b2e39008 27956 doc optional sharutils-doc_4.2.1-13_all.deb
4b482981eae8ea71c85427f7c1100db2 111344 utils standard sharutils_4.2.1-13_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCTYvwd9Uuvj7yPNYRArcTAKCB3v2NrpdqiMi+jzltHbcmg1wFxQCePU9b
oqvs3YCwFKboAqxDBFywBYc=
=4cM1
-----END PGP SIGNATURE-----
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.