Bug#488140: checkinstall: Unsafe temp dir creation

Felipe Sateler Thu, 26 Jun 2008 10:23:03 -0700

Package: checkinstall
Version: 1.6.1-6
Severity: grave
Tags: security patch
Justification: user security hole


*** Please type ddyour report below this line ***
Checkinstall (and installwatch) create temporary directories manually
instead of using mktemp, which creates a race condition.

The attached patch changes these into calls to mktemp, which is secure.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-preempt (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages checkinstall depends on:
ii  dpkg-dev                      1.15.0     Debian package development tools
ii  file                          4.24-2     Determines file type using "magic"
ii  findutils                     4.4.0-2    utilities for finding files--find,
ii  libc6                         2.7-12     GNU C Library: Shared libraries

Versions of packages checkinstall recommends:
ii  make                          3.81-5     The GNU version of the "make" util

-- no debconf information

Index: checkinstall
===================================================================
--- checkinstall        (revision 10000)
+++ checkinstall        (working copy)
@@ -965,16 +965,8 @@
 
 # Find a safe TMP_DIR
 
-TMP_DIR=${BASE_TMP_DIR}/`awk 'BEGIN { srand(); for (i=1;i<22;i++) { a=95; 
while (a > 90 && a < 97) { a=65+int(50*rand())}; printf("%c", a) } }'`
-[ -e "$TMP_DIR" ] && rm -rf $TMP_DIR
-if [ -e "$TMP_DIR" ]; then 
-   echo
-   echog "My temp dir exists already.\nThis looks like a symlink attack!"
-   echo 
-   echog "*** Aborting"
-   echo
-   exit 1
-fi
+TMP_DIR=`mktemp -q -d -p "${BASE_TMP_DIR}"`
+RETURN=$?
 
 if [ "$TMP_DIR" = "$BASE_TMP_DIR" -o "$TMP_DIR" = "/" ]; then
   echo 
@@ -985,11 +977,6 @@
   exit 1
 fi
 
-
-mkdir $TMP_DIR
-chmod 700 $TMP_DIR
-RETURN=$?
-
 if [ $RETURN -gt 0 ]; then
    echo
    echog "**** Failed to create temp dir! \n**** Do you have write permission 
for %s? \n\n**** Aborting installation." "$BASE_TMP_DIR"
Index: installwatch-0.7.0beta5/installwatch
===================================================================
--- installwatch-0.7.0beta5/installwatch        (revision 10000)
+++ installwatch-0.7.0beta5/installwatch        (working copy)
@@ -74,31 +74,8 @@
        local mkt_refdir=$1
        local mkt_wrkdir=""
 
-       mkt_wrkdir=${BASE_TMP_DIR}/\
-`awk 'BEGIN {\
-       srand();\
-       for (i=1;i<21;i++) {\
-               a=95;\
-               while (a > 90 && a < 97) {\
-                       a=65+int(50*rand())\
-               };\
-               printf("%c", a) \
-       }\
-}'`
-       
-       [ -e "${mkt_wrkdir}" ] && rm -rf ${mkt_wrkdir}
-       if [ -e "${mkt_wrkdir}" ]; then 
-               echo
-               echo "Error : My temp dir exists already. This looks like a 
symlink attack!"
-               echo 
-               echo "*** Aborting ***"
-               echo
-               exit 1
-       fi      
+       mkt_wrkdir=`mktemp -q -d -p ${BASE_TMP_DIR}`
 
-       mkdir ${mkt_wrkdir}
-       chmod 0700 ${mkt_wrkdir}
-
        eval $mkt_refdir=\$mkt_wrkdir
 }

Bug#488140: checkinstall: Unsafe temp dir creation

Reply via email to