Your message dated Thu, 31 Mar 2005 10:08:15 -0800
with message-id <[EMAIL PROTECTED]>
has caused the Debian Bug report #302412,
regarding exploitable temporary file race in unshar
to be marked as having been forwarded to the upstream software
author(s) Santiago Vila <[EMAIL PROTECTED]>.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
---------------------------------------
Received: (at 302412-forwarded) by bugs.debian.org; 31 Mar 2005 19:24:57 +0000
>From [EMAIL PROTECTED] Thu Mar 31 11:24:57 2005
Return-path: <[EMAIL PROTECTED]>
Received: from gluck.debian.org [192.25.206.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DH55V-0004kY-02; Thu, 31 Mar 2005 11:12:18 -0800
Received: from bay-bridge.veritas.com (MTVMIME03.enterprise.veritas.com)
[143.127.3.10]
by gluck.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DH46K-00041h-00; Thu, 31 Mar 2005 11:09:04 -0700
Received: from megami.veritas.com (unverified) by
MTVMIME03.enterprise.veritas.com (Content Technologies SMTPRS 4.3.12)
with SMTP id <[EMAIL PROTECTED]>;
Thu, 31 Mar 2005 10:08:15 -0800
Received: from veritas.com (ellen.veritas.com[10.180.88.137]) (3118 bytes) by
megami.veritas.com via sendmail with P:esmtp/R:smart_host/T:smtp
(sender: <[EMAIL PROTECTED]>) id <[EMAIL PROTECTED]> for
<[EMAIL PROTECTED]>; Thu, 31 Mar 2005 10:08:15 -0800 (PST)
(Smail-3.2.0.101 1997-Dec-17 #15 built 2001-Aug-30)
Sender: bkorb
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 31 Mar 2005 10:08:15 -0800
From: Bruce Korb <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
X-Mailer: Mozilla 4.8 [en] (X11; U; SunOS 5.8 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: Santiago Vila <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED], Joey Hess
<[EMAIL PROTECTED]>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
References: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Wrong assumption. It was announced on info-gnu. These new
issues will get faster action with a suggested patch :-).
Thanks - Bruce
Santiago Vila wrote:
>
> Hello.
>
> I received this from the Debian bug system:
>
> I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
> a separate directory, I assume it is not considered stable yet.
>
> ---------- Forwarded message ----------
> From: Joey Hess <[EMAIL PROTECTED]>
> To: Debian Bug Tracking System <[EMAIL PROTECTED]>
> Date: Thu, 31 Mar 2005 06:51:57 -1000
> Subject: Bug#302412: exploitable temporary file race in unshar
>
> Package: sharutils
> Version: 1:4.2.1-11
> Severity: grave
Since sharutils is still barely on life support, perhaps it is not
quite yet in the grave....;)
> Tags: security
>
> In unshar.c:
>
> sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
> unlink (name_buffer);
>
> if (file = fopen (name_buffer, "w+"), !file)
>
> The unlink makes it difficult, but surely not impossible to race unshar,
> when it is run on stdin, and cause it to fopen a symlink that points at
> an arbitrary file, which will then be replaced with the contents of the
> shell archive.
>
> A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
> include:
>
> - This example in shar(1):
>
> find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
>
> - This example in the info file:
>
> find . -type f -print | shar -S -o /tmp/big.shar
>
> - This example in README.OLD:
>
> e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
>
> - This in contrib/shar.sh:
>
> echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
> echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
> echo 'cat > $temp <<\!!!'
> ...
> echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
>
> -- System Information:
> Debian Release: 3.1
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.27
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>
> Versions of packages sharutils depends on:
> ii debianutils 2.13.2 Miscellaneous utilities specific
> t
> ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries
> an
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
