Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtobash (

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtobash (

From:	Roman Rakus
Subject:	Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtobash (symlink attack)
Date:	Tue, 16 Dec 2008 17:08:30 +0100
User-agent:	Thunderbird 2.0.0.18 (X11/20081119)

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5374
http://lists.debian.org/debian-devel/2008/08/msg00347.html
http://uvw.ru/report.sid.txt



Attaching patch. Changed to use mktemp.
RR

diff -up bash-3.2/examples/misc/cshtobash.mktemp 
bash-3.2/examples/misc/cshtobash
--- bash-3.2/examples/misc/cshtobash.mktemp     2008-12-16 15:05:47.000000000 
+0100
+++ bash-3.2/examples/misc/cshtobash    2008-12-16 17:00:58.000000000 +0100
@@ -15,25 +15,38 @@
 # Chet Ramey
 # chet@po.cwru.edu
 #
-trap 'rm -f /tmp/cb$$.? cshout cshin' 0 1 2 3 6 15
+function clean()
+{
+       rm -f $TMPFILE1 $TMPFILEa $TMPFILEe $TMPFILEv $TMPFILEco $TMPFILEci
+       exit 1
+}
+
+TMPFILE1=`mktemp -t cb.1.XXXXXX` || clean
+TMPFILEa=`mktemp -t cb.a.XXXXXX` || clean
+TMPFILEe=`mktemp -t cb.e.XXXXXX` || clean
+TMPFILEv=`mktemp -t cb.v.XXXXXX` || clean
+TMPFILEco=`mktemp -t cshout.XXXXXX` || clean
+TMPFILEci=`mktemp -t cshin.XXXXXX` || clean
+
+trap "rm -f $TMPFILE1 $TMPFILEa $TMPFILEe $TMPFILEv $TMPFILEco $TMPFILEci" 0 1 
2 3 6 15
 
 T=$'\t'
 
 SOURCE="${1:+source $1}"
 
-cat << EOF >cshin
+cat << EOF >$TMPFILEci
 $SOURCE
-alias >! /tmp/cb$$.a
-setenv >! /tmp/cb$$.e
-set >! /tmp/cb$$.v
+alias >! $TMPFILEa
+setenv >! $TMPFILEe
+set >! $TMPFILEv
 EOF
 
 # give csh a minimal environment, similar to what login would provide
-/usr/bin/env - USER=$USER HOME=$HOME PATH=/usr/bin:/bin:/usr/ucb:. TERM=$TERM 
SHELL=$SHELL /bin/csh -i < ./cshin > cshout 2>&1
+/usr/bin/env - USER=$USER HOME=$HOME PATH=/usr/bin:/bin:/usr/ucb:. TERM=$TERM 
SHELL=$SHELL /bin/csh -i < $TMPFILEci > $TMPFILEco 2>&1
 
 # First convert aliases
 
-cat << \EOF >/tmp/cb$$.1
+cat << \EOF >$TMPFILE1
 mkalias ()
 {
        case $2 in
@@ -49,12 +62,12 @@ mkalias ()
 }
 EOF
 
-sed "s/^\([a-zA-Z0-9_]*\)$T\(.*\)$/mkalias \1 '\2'/" < /tmp/cb$$.a 
>>/tmp/cb$$.1
+sed "s/^\([a-zA-Z0-9_]*\)$T\(.*\)$/mkalias \1 '\2'/" < $TMPFILEa >>$TMPFILE1
 
 echo '# csh aliases'
 echo
 
-$BASH /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \
+$BASH $TMPFILE1 | sed -e 's/\$cwd/\$PWD/g' \
                   -e 's/\$term/\$TERM/g' \
                   -e 's/\$home/\$HOME/g' \
                   -e 's/\$user/\$USER/g' \
@@ -70,7 +83,7 @@ sed -e '/^SHLVL/d' \
     -e '/^PWD/d' \
     -e "s/'/'"\\\\"''"/g \
     -e "s/^\([A-Za-z0-9_]*=\)/export \1'/" \
-    -e "s/$/'/" < /tmp/cb$$.e
+    -e "s/$/'/" < $TMPFILEe
 
 # Finally, convert local variables
 echo
@@ -82,7 +95,7 @@ sed -e 's/'"$T"'/=/' \
     -e '/^[A-Za-z0-9_]*=[^(]/{
        s/=/='"'/"'
        s/$/'"'/"'
-       }' < /tmp/cb$$.v |
+       }' < $TMPFILEv |
 sed -e '/^argv=/d' -e '/^cwd=/d' -e '/^filec=/d' -e '/^status=/d' \
         -e '/^verbose=/d' \
         -e '/^term=/d' \
@@ -110,7 +123,7 @@ echo
 echo '# special csh variables converted to bash equivalents'
 echo
 
-sed -e 's/'"$T"'/=/' < /tmp/cb$$.v |
+sed -e 's/'"$T"'/=/' < $TMPFILEv |
 grep "^cdpath=" |
 sed 's/(//
      s/ /:/g
@@ -118,7 +131,7 @@ sed 's/(//
      s/cdpath=/CDPATH=/'
 
 
-sed -e 's/'"$T"'/=/' < /tmp/cb$$.v |
+sed -e 's/'"$T"'/=/' < $TMPFILEv |
 grep "^mail=" |
 sed 's/(//
      s/ /:/g
diff -up bash-3.2/examples/misc/aliasconv.bash.mktemp 
bash-3.2/examples/misc/aliasconv.bash
--- bash-3.2/examples/misc/aliasconv.bash.mktemp        2008-12-16 
14:52:56.000000000 +0100
+++ bash-3.2/examples/misc/aliasconv.bash       2008-12-16 16:55:45.000000000 
+0100
@@ -7,11 +7,13 @@
 # Chet Ramey
 # chet@po.cwru.edu
 #
-trap 'rm -f /tmp/cb$$.?' 0 1 2 3 6 15
+TMPFILE=`mktemp -t cb.XXXXX` || exit 1
+
+trap "rm -f $TMPFILE" 0 1 2 3 6 15
 
 T=$'\t'
 
-cat << \EOF >/tmp/cb$$.1
+cat << \EOF >$TMPFILE
 mkalias ()
 {
        case $2 in
@@ -31,9 +33,9 @@ EOF
 # since they whole thing is going to be surrounded by single quotes when
 # passed to mkalias
 
-sed -e "s:':\\'\\\'\\':" -e "s/^\([a-zA-Z0-9_-]*\)$T\(.*\)$/mkalias \1 '\2'/" 
>>/tmp/cb$$.1
+sed -e "s:':\\'\\\'\\':" -e "s/^\([a-zA-Z0-9_-]*\)$T\(.*\)$/mkalias \1 '\2'/" 
>>$TMPFILE
 
-$BASH /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \
+$BASH $TMPFILE | sed -e 's/\$cwd/\$PWD/g' \
                     -e 's/\$term/\$TERM/g' \
                     -e 's/\$home/\$HOME/g' \
                     -e 's/\$user/\$USER/g' \
diff -up bash-3.2/examples/misc/aliasconv.sh.mktemp 
bash-3.2/examples/misc/aliasconv.sh
--- bash-3.2/examples/misc/aliasconv.sh.mktemp  2002-11-30 23:20:23.000000000 
+0100
+++ bash-3.2/examples/misc/aliasconv.sh 2008-12-16 16:55:58.000000000 +0100
@@ -7,11 +7,12 @@
 # Chet Ramey
 # chet@po.cwru.edu
 #
-trap 'rm -f /tmp/cb$$.?' 0 1 2 3 6 15
+TMPFILE=`mktemp -t cbXXXXX` || exit 1
+trap "rm -f $TMPFILE" 0 1 2 3 6 15
 
 T='    '
 
-cat << \EOF >/tmp/cb$$.1
+cat << \EOF >$TMPFILE
 mkalias ()
 {
        case $2 in
@@ -31,9 +32,9 @@ EOF
 # since they whole thing is going to be surrounded by single quotes when
 # passed to mkalias
 
-sed -e "s:':\\'\\\'\\':" -e "s/^\([a-zA-Z0-9_-]*\)$T\(.*\)$/mkalias \1 '\2'/" 
>>/tmp/cb$$.1
+sed -e "s:':\\'\\\'\\':" -e "s/^\([a-zA-Z0-9_-]*\)$T\(.*\)$/mkalias \1 '\2'/" 
>>$TMPFILE
 
-sh /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \
+sh $TMPFILE | sed -e 's/\$cwd/\$PWD/g' \
                     -e 's/\$term/\$TERM/g' \
                     -e 's/\$home/\$HOME/g' \
                     -e 's/\$user/\$USER/g' \

[Prev in Thread]

Current Thread

[Next in Thread]

Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtobash (symlink attack), Roman Rakus <=

Prev by Date: Re: malloc/realloc problem under repeated tab completition
Next by Date: Re: malloc/realloc problem under repeated tab completition
Previous by thread: malloc/realloc problem under repeated tab completition
Next by thread: <<NULL patch
Index(es):
- Date
- Thread