Your message dated Fri, 01 Apr 2005 13:17:40 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#302412: fixed in sharutils 1:4.2.1-13
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 31 Mar 2005 16:48:53 +0000
>From [EMAIL PROTECTED] Thu Mar 31 08:48:53 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DH2qj-0004H4-00; Thu, 31 Mar 2005 08:48:53 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.177])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id D39B9183E8
for <[EMAIL PROTECTED]>; Thu, 31 Mar 2005 16:48:51 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id DE8BA6E618; Thu, 31 Mar 2005 06:51:57 -1000 (HST)
Date: Thu, 31 Mar 2005 06:51:57 -1000
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: exploitable temporary file race in unshar
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8"
Content-Disposition: inline
X-Reportbug-Version: 3.9
User-Agent: Mutt/1.5.8i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security
In unshar.c:
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file =3D fopen (name_buffer, "w+"), !file)
The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.
A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:
- This example in shar(1):
find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
- This example in the info file:
find . -type f -print | shar -S -o /tmp/big.shar
- This example in README.OLD:
e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
- This in contrib/shar.sh:
echo 'temp=3D/tmp/shar$$; dtemp=3D/tmp/.shar$$'
echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
echo 'cat > $temp <<\!!!'
=2E..
echo "wc $contents | sed 's=3D[^ ]*/=3D=3D' | "'diff -b $temp - >$d=
temp'
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specif=
ic t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie=
s an
-- no debconf information
--=20
see shy jo
--ibTvN161/egqYuK8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCTCqsd8HHehbQuO8RAnCRAJ9NIrBNRnIIaG0xD4rjC90+a+QvZgCgpTmu
KplWlfZZjfqFNsd6U+9jmm4=
=DTZO
-----END PGP SIGNATURE-----
--ibTvN161/egqYuK8--
---------------------------------------
Received: (at 302412-close) by bugs.debian.org; 1 Apr 2005 18:23:03 +0000
>From [EMAIL PROTECTED] Fri Apr 01 10:23:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from gluck.debian.org [192.25.206.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DHQnP-0000aZ-00; Fri, 01 Apr 2005 10:23:03 -0800
Received: from newraff.debian.org [208.185.25.31] (mail)
by gluck.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DHQnO-0001Ok-00; Fri, 01 Apr 2005 11:23:02 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DHQiC-0007GZ-00; Fri, 01 Apr 2005 13:17:40 -0500
From: Santiago Vila <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#302412: fixed in sharutils 1:4.2.1-13
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 01 Apr 2005 13:17:40 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: sharutils
Source-Version: 1:4.2.1-13
We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive:
sharutils-doc_4.2.1-13_all.deb
to pool/main/s/sharutils/sharutils-doc_4.2.1-13_all.deb
sharutils_4.2.1-13.diff.gz
to pool/main/s/sharutils/sharutils_4.2.1-13.diff.gz
sharutils_4.2.1-13.dsc
to pool/main/s/sharutils/sharutils_4.2.1-13.dsc
sharutils_4.2.1-13_i386.deb
to pool/main/s/sharutils/sharutils_4.2.1-13_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[EMAIL PROTECTED]> (supplier of updated sharutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 1 Apr 2005 19:57:40 +0200
Source: sharutils
Binary: sharutils-doc sharutils
Architecture: source i386 all
Version: 1:4.2.1-13
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <[EMAIL PROTECTED]>
Changed-By: Santiago Vila <[EMAIL PROTECTED]>
Description:
sharutils - shar, unshar, uuencode, uudecode
sharutils-doc - Documentation for GNU sharutils
Closes: 302412
Changes:
sharutils (1:4.2.1-13) unstable; urgency=medium
.
* Fixed insecure temporary file creation in unshar (Closes: #302412).
Changed also texinfo and shar(1) examples to read /somewhere/foo
instead of /tmp/foo. Reported by Joey Hess.
Files:
70e24dfeee9fbd9702dd5291444bf7a6 616 utils standard sharutils_4.2.1-13.dsc
b0fd598dffd23e0d77a910a50a37ac93 8304 utils standard sharutils_4.2.1-13.diff.gz
bda14234eb1b418d42184cf3b2e39008 27956 doc optional
sharutils-doc_4.2.1-13_all.deb
4b482981eae8ea71c85427f7c1100db2 111344 utils standard
sharutils_4.2.1-13_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCTYvwd9Uuvj7yPNYRArcTAKCB3v2NrpdqiMi+jzltHbcmg1wFxQCePU9b
oqvs3YCwFKboAqxDBFywBYc=
=4cM1
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
