Package: sharutils Version: 1:4.2.1-11 Severity: grave Tags: security In unshar.c:
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file = fopen (name_buffer, "w+"), !file)
The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.
A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:
- This example in shar(1):
find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
- This example in the info file:
find . -type f -print | shar -S -o /tmp/big.shar
- This example in README.OLD:
e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
- This in contrib/shar.sh:
echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
echo 'cat > $temp <<\!!!'
...
echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature
