Package: razor Version: 2.610-2 Severity: grave Tags: security patch sid testing
The use done of files under /tmp by Razor for logging is unsafe and open to symlink attacks. It would be best if Razor would use safely created temporary files and directories to prevent a local installation from being harmed by a rogue user. I belive the attached patch accounts for all the unsafe usages of /tmp I've spotted through an audit of the source code. I have not tested it however, as I don't actually use Razor myself. BTW the debian/changelog refers to RAZOR_HOME (which says it defaults to /tmp). However the code uses RAZORHOME (as the location of the configuration files and such) and I seem to be unable to find any references to RAZOR_HOME in the code. Is this debian changelog entry correct: (in 2.400-1) * Without syslog, razor logs to RAZOR_HOME, which defaults to /tmp. * I am not going to change the default RAZOR_HOME to /var/log as one * person requested because people that would not work for individual * users (no write permission). Seems to me like all logging is done to /tmp. Regards Javier
diff -Nru razor-2.610.orig/lib/Razor2/Client/Agent.pm razor-2.610/lib/Razor2/Client/Agent.pm --- razor-2.610.orig/lib/Razor2/Client/Agent.pm 2005-01-26 08:48:06.000000000 +0100 +++ razor-2.610/lib/Razor2/Client/Agent.pm 2005-01-26 22:58:37.000000000 +0100 @@ -22,6 +22,7 @@ use Razor2::Preproc::Manager; use Data::Dumper; use vars qw( $VERSION $PROTOCOL ); +use File::Temp qw/ tempfile tempdir /; $PROTOCOL = $Razor2::Client::Version::PROTOCOL; @@ -130,7 +131,7 @@ LogPrefix => $self->{breed}, LogTimestamp => 1, DontDie => 1, - Log2FileDir => defined($self->{conf}->{tmp_dir}) ? $self->{conf}->{tmp_dir} : "/tmp", + Log2FileDir => defined($self->{conf}->{tmp_dir}) ? $self->{conf}->{tmp_dir} : tempdir (CLEANUP => 1), ); $self->{logref} = ref($logger) ? $logger : 0; # log error strings at loglevel 11. Pick a high number 'cuz diff -Nru razor-2.610.orig/lib/Razor2/Logger.pm razor-2.610/lib/Razor2/Logger.pm --- razor-2.610.orig/lib/Razor2/Logger.pm 2003-12-07 09:49:34.000000000 +0100 +++ razor-2.610/lib/Razor2/Logger.pm 2005-01-26 22:57:25.000000000 +0100 @@ -10,6 +10,8 @@ # 2003/09/10 Anne Bennett: syslog of our choice (uses socket, # does not assume network listener). use Sys::Syslog; +# 2005/01/26 Javier Fernandez-Sanguino: use safe temporary directories +use File::Temp qw/ tempfile tempdir /; # designed to be inherited module # but can stand alone. @@ -59,7 +61,7 @@ $self->{LogTimeFormat} ||= "%b %d %H:%M:%S"; # formatting from strftime() $self->{LogDebugLevel} = exists $self->{LogDebugLevel} ? $self->{LogDebugLevel} : 5; - $self->{Log2FileDir} ||= "/tmp"; + $self->{Log2FileDir} ||= tempdir( CLEANUP => 1 ); # 2002/11/27 Anne Bennett: log this at level 2 so we can set level # 1 (to get errors only) and avoid this unneeded line. @@ -121,15 +123,10 @@ return; } my $len = length($$textref); - my $fn = "$self->{Log2FileDir}/razor.$$.$fn_ext"; - - if (open OUT, ">$fn") { - print OUT $$textref; - close OUT; - $self->log($prio,"log2file: wrote message len=$len to file: $fn"); - } else { - $self->log($prio,"log2file: could not write to $fn: $!"); - } + my $fn = tempfile ("razor.XXXXXX", SUFFIX => ".$fn_ext", DIR => $self->{Log2FileDir}" or $self->log($prio,"log2file: could create logfile: $!"); + print $fn $$textref; + close $fn; + $self->log($prio,"log2file: wrote message len=$len to file: $fn"); } 1; diff -Nru razor-2.610.orig/lib/Razor2/Preproc/Manager.pm razor-2.610/lib/Razor2/Preproc/Manager.pm --- razor-2.610.orig/lib/Razor2/Preproc/Manager.pm 2003-08-05 20:30:54.000000000 +0200 +++ razor-2.610/lib/Razor2/Preproc/Manager.pm 2005-01-26 23:01:09.000000000 +0100 @@ -5,6 +5,7 @@ use Razor2::Preproc::deHTML; use Razor2::Preproc::deNewline; use Data::Dumper; +use File::Temp qw/ tempfile /; use strict; sub new { @@ -78,11 +79,10 @@ sub log2file { my ($self, $msgref, $mailid) = @_; my $len = length($$msgref); - my $fn = "/tmp/.razor.debug.msg.$$.$mailid"; - if (open OUT, ">$fn") { - print OUT $$msgref; - close OUT; - } else { + my $fh = tempfile (".razor.debug.msg.XXXXXX"); + if ($fh) { + print $fh $$msgref; + close $fh; } }
signature.asc
Description: Digital signature
