tag 508940 + patch
thanks
Hi,
I am attaching a patch for this bug. Please note I have _not_ tested
the patch, only quickly implemented it.
This patch _does_ change the program's behaviour, although in the
least intrusive way possible. Instead of downloading the file to work
on to /tmp, netdisco-mibs-download will create a /tmp/netdisco-mibs
directory (or if it exists already, will ensure it is owned by root
and not group- or world-writable). Likewise, netdisco-mibs-install
will only work if both the directory and the file downloaded to it are
root-owned and not group- or world-writable.
I am not completely happy leaving this directory in /tmp, though - It
could probably be better to put it in /var/cache. And, of course, to
delete it after being consumed. But that's completely up to the
maintainer.
As I said above, I have not tested this, not even its syntax, and I am
not familiar with the package - so I am not uploading an NMU. I hope
this patch is good for you!
Greetings
--
Gunnar Wolf - gw...@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF
diff --git a/usr/sbin/netdisco-mibs-download b/usr/sbin/netdisco-mibs-download
index ab4c4b1..5a307ab 100755
--- a/usr/sbin/netdisco-mibs-download
+++ b/usr/sbin/netdisco-mibs-download
@@ -13,12 +13,37 @@ if ($> != 0) {
exit 2;
}
+# Check our destination directory exists (or create) and is sane
+# (i.e. avoid symlink attacks - CVE-2008-5379[0])
+#
+# We cannot use mktemp as this path should be available to
+# netdisco-mibs-install, invoked independently.
+my $destdir = '/tmp/netdisco-mibs';
+if (-e $destdir) {
+ my @stat = stat($destdir);
+ my $mode = sprintf('%04o', $stat[2] & 07777);
+ my $maxmode = 0755;
+ if (! -d $destdir or $stat[4] != 0 or $maxmode - $mode) {
+ print "$destdir exists and is not a root-owned directory with " .
+ "permissions set to 0755 (or less)\n";
+ exit 3;
+ }
+} else {
+ unless (mkdir($destdir)) {
+ print "Could not create destination directory $destdir\n";
+ exit 3;
+ }
+}
+
my $site = 'dl.sourceforge.net';
#my $source = 'audacity/audacity-src-1.2.6.tar.bz2'; # for testing
my $source = 'netdisco/netdisco-mibs-0.6.tar.gz';
my $target = [fileparse($source)]->[0]; # get file name part
+my $destfile = "$destdir/$target";
my $homepage = 'http://sourceforge.net/project/showfiles.php?group_id=80033&package_id=135517';
+unlink($destfile) if -e $destfile;
+
# get list of IPs for $site
my $res = Net::DNS::Resolver->new;
my $query = $res->search($site);
@@ -41,7 +66,7 @@ foreach my $mirror (@sf_mirrors) {
my $request = HTTP::Request->new(GET =>
"http://$mirror/sourceforge/$source";);
- my $response = $ua->request($request, "/tmp/$target");
+ my $response = $ua->request($request, $destfile);
if ($response->is_success) {
print "Downloaded ok from [$mirror], please now run netdisco-mibs-install.\n";
@@ -57,7 +82,7 @@ foreach my $mirror (@sf_mirrors) {
print "\nSorry, it has not been possible to download the Netdisco MIB bundle.\n";
print "Please go to the Netdisco Sourceforge page, and download $target:\n";
print " $homepage\n";
-print "\nSave this file to /tmp/$target and then run netdisco-mibs-install.\n";
+print "\nSave this file to $destfile and then run netdisco-mibs-install.\n";
exit 1;
__END__
@@ -98,6 +123,8 @@ information about failed mirror site downloads.
=item 2 - Program must be run as root, and you are not root
+=item 3 - Error regarding the download directory
+
=back
=head1 AUTHOR
diff --git a/usr/sbin/netdisco-mibs-install b/usr/sbin/netdisco-mibs-install
index d97586d..cc6229b 100755
--- a/usr/sbin/netdisco-mibs-install
+++ b/usr/sbin/netdisco-mibs-install
@@ -1,6 +1,7 @@
#!/bin/sh
set -e
+BASEDIR="/tmp/netdisco-mibs"
TARBALL="netdisco-mibs-0.6.tar.gz"
UNPACK_DIR="netdisco-mibs-0.6"
SHAREDIR="/usr/share/netdisco/mibs"
@@ -12,20 +13,27 @@ if [ "$UID" -ne "0" ]; then
exit 1
fi
-rm -rf /tmp/$UNPACK_DIR
+rm -rf $BASEDIR/$UNPACK_DIR
-if [ ! -s /tmp/$TARBALL ]; then
- echo >&2 "$0: error: /tmp/$TARBALL must exist"
+if [ ! -s $BASEDIR/$TARBALL ]; then
+ echo >&2 "$0: error: $BASEDIR/$TARBALL must exist"
echo >&2 "Have you run netdisco-mibs-download ?"
exit 2
fi
-if [ "`ls -l /tmp/$TARBALL | awk '{print $3}'`" != root ]; then
- echo >&2 "$0: error: file not owned by root: /tmp/$TARBALL"
+for file in $BASEDIR $BASEDIR/$TARBALL; do
+ if [ "`ls -l $file | awk '{print $3}'`" != root ]; then
+ echo >&2 "$0: error: file not owned by root: $file"
+ exit 3
+ fi
+done
+
+if ! stat $BASEDIR|grep '^Access:.*drwx.-..-.'>/dev/null; then
+ echo >&2 "$0: error: Should be writable only by root: $BASEDIR"
exit 3
-fi
+else
-cd /tmp
+cd $BASEDIR
tar -x -z -f $TARBALL
chmod -R og-w $UNPACK_DIR
chown -R root:root $UNPACK_DIR
@@ -49,7 +57,7 @@ for f in `find -maxdepth 1 -type f`; do
cp -fp $f $CONTRIBDIR/
done
-rm -rf /tmp/$UNPACK_DIR
+rm -rf $BASEDIR/$UNPACK_DIR
echo "The MIB files in $SHAREDIR have now been updated."
exit 0
@@ -87,9 +95,9 @@ directories of this location.
=item 1 - Program must be run as root, and you are not root
-=item 2 - /tmp/netdisco-mibs-0.6.tar.gz is missing - have you run netdisco-mibs-download ?
+=item 2 - /tmp/netdisco-mibs/netdisco-mibs-0.6.tar.gz is missing - have you run netdisco-mibs-download ?
-=item 3 - /tmp/netdisco-mibs-0.6.tar.gz is not owned by root
+=item 3 - /tmp/netdisco-mibs/ or /tmp/netdisco-mibs/netdisco-mibs-0.6.tar.gz are not owned by root
=item 4 - Directory /usr/share/netdisco/mibs does not exist
