Bug#286392: autopoint: Insecure temporary directory usage (fwd)

[Santiago Vila]

Hello.

Received this from the Debian bug system.

---------- Forwarded message ----------
From: Javier Fernández-Sanguino Peña <address@hidden>
To: address@hidden
Date: Mon, 20 Dec 2004 00:49:41 +0100
Subject: Bug#286392: autopoint: Insecure temporary directory usage

Package: gettext
Version: 0.14.1-6
Priority: normal
Tags: security

The autopoint script does not protect itself from temporary directory
attacks. Even though it creates a temporary directory and will abort
if it exists, the directory itself is not safe (depends on the user's
umask) and symlink attacks can be used against the directory contents
through race conditions. For example, consider the possibility of a
user with an "open" umask that creates file writable by his group,
a member of the same group could create a CVS directory in autopoint's
directory and have symlinks from common CVS files there (CVSRoot) to
other files to force a symlink attack to files the user might not have=20
access and belong to the user running the script.

The attached patch tries to prevent this by using safer umask settings
when creating the temporary directories.


Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <address@hidden>

--- autopoint.orig      2004-12-20 00:44:05.000000000 +0100
+++ autopoint   2004-12-20 00:44:48.000000000 +0100
@@ -310,6 +310,8 @@
 # - work_dir        directory containing the temporary checkout
 cvs_dir=tmpcvs$$
 work_dir=tmpwrk$$
+um=`umask`
+umask 077
 mkdir "$cvs_dir"
 if [ $? -ne 0 ]; then
   echo "ERROR making $cvs_dir"
@@ -320,6 +322,7 @@
   echo "ERROR making $work_dir"
   exit 1
 fi
+umask $um
 CVSROOT="$srcdir/$cvs_dir"
 export CVSROOT
 unset CVS_CLIENT_LOG