bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtoba

From: Roman Rakus
Subject: Re: Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtobash (symlink attack)
Date: Mon, 05 Jan 2009 16:10:11 +0100
User-agent: Thunderbird 2.0.0.18 (X11/20081119) 
Roman Rakus wrote:

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5374
http://lists.debian.org/debian-devel/2008/08/msg00347.html
http://uvw.ru/report.sid.txt



Attaching patch. Changed to use mktemp.
RR

Attached a bit improved patch.
What do you think about it Chet?
RR

diff -up bash-3.2/examples/misc/cshtobash.mktemp 
bash-3.2/examples/misc/cshtobash
--- bash-3.2/examples/misc/cshtobash.mktemp     2008-12-16 15:05:47.000000000 
+0100
+++ bash-3.2/examples/misc/cshtobash    2008-12-17 14:45:05.000000000 +0100
@@ -15,25 +15,34 @@
 # Chet Ramey
 # chet@po.cwru.edu
 #
-trap 'rm -f /tmp/cb$$.? cshout cshin' 0 1 2 3 6 15
+trap 'rm -f $TMPFILE1 $TMPFILEa $TMPFILEe $TMPFILEv $TMPFILEco $TMPFILEci' 0 1 
2 3 6 15
+
+{ TMPFILE1=$(mktemp -t cb.1.XXXXXX) &&
+  TMPFILEa=$(mktemp -t cb.a.XXXXXX) &&
+  TMPFILEe=$(mktemp -t cb.e.XXXXXX) &&
+  TMPFILEv=$(mktemp -t cb.v.XXXXXX) &&
+  TMPFILEco=$(mktemp -t cshout.XXXXXX) &&
+  TMPFILEci=$(mktemp -t cshin.XXXXXX)
+} || exit 1
+
 
 T=$'\t'
 
 SOURCE="${1:+source $1}"
 
-cat << EOF >cshin
+cat << EOF >$TMPFILEci
 $SOURCE
-alias >! /tmp/cb$$.a
-setenv >! /tmp/cb$$.e
-set >! /tmp/cb$$.v
+alias >! $TMPFILEa
+setenv >! $TMPFILEe
+set >! $TMPFILEv
 EOF
 
 # give csh a minimal environment, similar to what login would provide
-/usr/bin/env - USER=$USER HOME=$HOME PATH=/usr/bin:/bin:/usr/ucb:. TERM=$TERM 
SHELL=$SHELL /bin/csh -i < ./cshin > cshout 2>&1
+/usr/bin/env - USER=$USER HOME=$HOME PATH=/usr/bin:/bin:/usr/ucb:. TERM=$TERM 
SHELL=$SHELL /bin/csh -i < $TMPFILEci > $TMPFILEco 2>&1
 
 # First convert aliases
 
-cat << \EOF >/tmp/cb$$.1
+cat << \EOF >$TMPFILE1
 mkalias ()
 {
        case $2 in
@@ -49,12 +58,12 @@ mkalias ()
 }
 EOF
 
-sed "s/^\([a-zA-Z0-9_]*\)$T\(.*\)$/mkalias \1 '\2'/" < /tmp/cb$$.a 
>>/tmp/cb$$.1
+sed "s/^\([a-zA-Z0-9_]*\)$T\(.*\)$/mkalias \1 '\2'/" < $TMPFILEa >>$TMPFILE1
 
 echo '# csh aliases'
 echo
 
-$BASH /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \
+$BASH $TMPFILE1 | sed -e 's/\$cwd/\$PWD/g' \
                   -e 's/\$term/\$TERM/g' \
                   -e 's/\$home/\$HOME/g' \
                   -e 's/\$user/\$USER/g' \
@@ -70,7 +79,7 @@ sed -e '/^SHLVL/d' \
     -e '/^PWD/d' \
     -e "s/'/'"\\\\"''"/g \
     -e "s/^\([A-Za-z0-9_]*=\)/export \1'/" \
-    -e "s/$/'/" < /tmp/cb$$.e
+    -e "s/$/'/" < $TMPFILEe
 
 # Finally, convert local variables
 echo
@@ -82,7 +91,7 @@ sed -e 's/'"$T"'/=/' \
     -e '/^[A-Za-z0-9_]*=[^(]/{
        s/=/='"'/"'
        s/$/'"'/"'
-       }' < /tmp/cb$$.v |
+       }' < $TMPFILEv |
 sed -e '/^argv=/d' -e '/^cwd=/d' -e '/^filec=/d' -e '/^status=/d' \
         -e '/^verbose=/d' \
         -e '/^term=/d' \
@@ -110,7 +119,7 @@ echo
 echo '# special csh variables converted to bash equivalents'
 echo
 
-sed -e 's/'"$T"'/=/' < /tmp/cb$$.v |
+sed -e 's/'"$T"'/=/' < $TMPFILEv |
 grep "^cdpath=" |
 sed 's/(//
      s/ /:/g
@@ -118,7 +127,7 @@ sed 's/(//
      s/cdpath=/CDPATH=/'
 
 
-sed -e 's/'"$T"'/=/' < /tmp/cb$$.v |
+sed -e 's/'"$T"'/=/' < $TMPFILEv |
 grep "^mail=" |
 sed 's/(//
      s/ /:/g
diff -up bash-3.2/examples/misc/aliasconv.bash.mktemp 
bash-3.2/examples/misc/aliasconv.bash
--- bash-3.2/examples/misc/aliasconv.bash.mktemp        2008-12-16 
14:52:56.000000000 +0100
+++ bash-3.2/examples/misc/aliasconv.bash       2008-12-17 14:40:37.000000000 
+0100
@@ -7,11 +7,13 @@
 # Chet Ramey
 # chet@po.cwru.edu
 #
-trap 'rm -f /tmp/cb$$.?' 0 1 2 3 6 15
+trap 'rm -f $TMPFILE' 0 1 2 3 6 15
+
+TMPFILE=$(mktemp -t cb.XXXXXX) || exit 1
 
 T=$'\t'
 
-cat << \EOF >/tmp/cb$$.1
+cat << \EOF >$TMPFILE
 mkalias ()
 {
        case $2 in
@@ -31,9 +33,9 @@ EOF
 # since they whole thing is going to be surrounded by single quotes when
 # passed to mkalias
 
-sed -e "s:':\\'\\\'\\':" -e "s/^\([a-zA-Z0-9_-]*\)$T\(.*\)$/mkalias \1 '\2'/" 
>>/tmp/cb$$.1
+sed -e "s:':\\'\\\'\\':" -e "s/^\([a-zA-Z0-9_-]*\)$T\(.*\)$/mkalias \1 '\2'/" 
>>$TMPFILE
 
-$BASH /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \
+$BASH $TMPFILE | sed -e 's/\$cwd/\$PWD/g' \
                     -e 's/\$term/\$TERM/g' \
                     -e 's/\$home/\$HOME/g' \
                     -e 's/\$user/\$USER/g' \
diff -up bash-3.2/examples/misc/aliasconv.sh.mktemp 
bash-3.2/examples/misc/aliasconv.sh
--- bash-3.2/examples/misc/aliasconv.sh.mktemp  2002-11-30 23:20:23.000000000 
+0100
+++ bash-3.2/examples/misc/aliasconv.sh 2008-12-17 14:40:46.000000000 +0100
@@ -7,11 +7,11 @@
 # Chet Ramey
 # chet@po.cwru.edu
 #
-trap 'rm -f /tmp/cb$$.?' 0 1 2 3 6 15
-
+trap 'rm -f $TMPFILE' 0 1 2 3 6 15
+TMPFILE=$(mktemp -t cb.XXXXXX) || exit 1
 T='    '
 
-cat << \EOF >/tmp/cb$$.1
+cat << \EOF >$TMPFILE
 mkalias ()
 {
        case $2 in
@@ -31,9 +31,9 @@ EOF
 # since they whole thing is going to be surrounded by single quotes when
 # passed to mkalias
 
-sed -e "s:':\\'\\\'\\':" -e "s/^\([a-zA-Z0-9_-]*\)$T\(.*\)$/mkalias \1 '\2'/" 
>>/tmp/cb$$.1
+sed -e "s:':\\'\\\'\\':" -e "s/^\([a-zA-Z0-9_-]*\)$T\(.*\)$/mkalias \1 '\2'/" 
>>$TMPFILE
 
-sh /tmp/cb$$.1 | sed -e 's/\$cwd/\$PWD/g' \
+sh $TMPFILE | sed -e 's/\$cwd/\$PWD/g' \
                     -e 's/\$term/\$TERM/g' \
                     -e 's/\$home/\$HOME/g' \
                     -e 's/\$user/\$USER/g' \
reply via email to
[Prev in Thread] Current Thread [Next in Thread]