exploitable temporary file race in unshar
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sharutils (Debian) |
Fix Released
|
Unknown
|
|||
sharutils (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #302412 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Thu, 31 Mar 2005 06:51:57 -1000
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: exploitable temporary file race in unshar
--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security
In unshar.c:
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file =3D fopen (name_buffer, "w+"), !file)
The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.
A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:
- This example in shar(1):
find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
- This example in the info file:
find . -type f -print | shar -S -o /tmp/big.shar
- This example in README.OLD:
e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
- This in contrib/shar.sh:
echo 'temp=3D/
echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
echo 'cat > $temp <<\!!!'
=2E..
echo "wc $contents | sed 's=3D[^ ]*/=3D=3D' | "'diff -b $temp - >$d=
temp'
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=
Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specif=
ic t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie=
s an
-- no debconf information
--=20
see shy jo
--ibTvN161/egqYuK8
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCTCqsd8H
KplWlfZZjfqFNsd
=DTZO
-----END PGP SIGNATURE-----
--ibTvN161/
In Debian Bug tracker #302412, Bruce Korb (bkorb-veritas) wrote : Re: Bug#302412: exploitable temporary file race in unshar (fwd) | #3 |
Wrong assumption. It was announced on info-gnu. These new
issues will get faster action with a suggested patch :-).
Thanks - Bruce
Santiago Vila wrote:
>
> Hello.
>
> I received this from the Debian bug system:
>
> I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
> a separate directory, I assume it is not considered stable yet.
>
> ---------- Forwarded message ----------
> From: Joey Hess <email address hidden>
> To: Debian Bug Tracking System <email address hidden>
> Date: Thu, 31 Mar 2005 06:51:57 -1000
> Subject: Bug#302412: exploitable temporary file race in unshar
>
> Package: sharutils
> Version: 1:4.2.1-11
> Severity: grave
Since sharutils is still barely on life support, perhaps it is not
quite yet in the grave....;)
> Tags: security
>
> In unshar.c:
>
> sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
> unlink (name_buffer);
>
> if (file = fopen (name_buffer, "w+"), !file)
>
> The unlink makes it difficult, but surely not impossible to race unshar,
> when it is run on stdin, and cause it to fopen a symlink that points at
> an arbitrary file, which will then be replaced with the contents of the
> shell archive.
>
> A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
> include:
>
> - This example in shar(1):
>
> find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
>
> - This example in the info file:
>
> find . -type f -print | shar -S -o /tmp/big.shar
>
> - This example in README.OLD:
>
> e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
>
> - This in contrib/shar.sh:
>
> echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
> echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
> echo 'cat > $temp <<\!!!'
> ...
> echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
>
> -- System Information:
> Debian Release: 3.1
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.27
> Locale: LANG=en_US.UTF-8, LC_CTYPE=
>
> Versions of packages sharutils depends on:
> ii debianutils 2.13.2 Miscellaneous utilities specific t
> ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
In Debian Bug tracker #302412, Santiago Vila Doncel (sanvila-unex) wrote : | #4 |
Hello.
I received this from the Debian bug system:
I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
a separate directory, I assume it is not considered stable yet.
---------- Forwarded message ----------
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Date: Thu, 31 Mar 2005 06:51:57 -1000
Subject: Bug#302412: exploitable temporary file race in unshar
Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security
In unshar.c:
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file = fopen (name_buffer, "w+"), !file)
The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.
A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:
- This example in shar(1):
find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
- This example in the info file:
find . -type f -print | shar -S -o /tmp/big.shar
- This example in README.OLD:
e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
- This in contrib/shar.sh:
echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
echo 'cat > $temp <<\!!!'
...
echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=
Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
-- no debconf information
--
see shy jo
In Debian Bug tracker #302412, Santiago Vila Doncel (sanvila-unex) wrote : | #5 |
On Thu, 31 Mar 2005, Bruce Korb wrote:
> Wrong assumption. It was announced on info-gnu.
May I suggest that sharutils 4.3.77 and 4.3.78 are not put in directories
named "4.3.77" and "REL-4.3.78", then? The current layout is a little
bit misleading.
> These new issues will get faster action with a suggested patch :-).
Ok, here is a patch that maybe you can accept:
diff -ru sharutils-
--- sharutils-
+++ sharutils-
@@ -426,13 +426,15 @@
}
else
{
+#ifdef __MSDOS__
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file = fopen (name_buffer, "w+"), !file)
error (EXIT_FAILURE, errno, name_buffer);
-#ifndef __MSDOS__
- unlink (name_buffer); /* will be deleted on fclose */
+#else
+ if (file = tmpfile(), !file)
+ error (EXIT_FAILURE, errno, "tmpfile");
#endif
while (size_read = fread (copy_buffer, 1, sizeof (copy_buffer), stdin),
This patch tries not to break the MSDOS stuff. For Unix, there is no
need to unlink the file (the tmpfile function already does this), not
to mention we don't even know the name of the file, so we have to
change the error message a little bit to not reference name_buffer,
since it does not have any useful value.
In Debian Bug tracker #302412, Bruce Korb (bruce-korb) wrote : | #6 |
On Thursday 31 March 2005 05:30 pm, Santiago Vila wrote:
> On Thu, 31 Mar 2005, Bruce Korb wrote:
>
> > Wrong assumption. It was announced on info-gnu.
>
> May I suggest that sharutils 4.3.77 and 4.3.78 are not put in directories
> named "4.3.77" and "REL-4.3.78", then? The current layout is a little
> bit misleading.
The first was a typo that I didn't notice until my script was already running.
It is my intention to release in REL-xxxxx subdirectories. It reduces clutter.
> > These new issues will get faster action with a suggested patch :-).
>
> Ok, here is a patch that maybe you can accept:
Looks fine to me. It may be a couple of weeks tho, taxes and my day job
take priority. :)
> This patch tries not to break the MSDOS stuff.
Thanks. I tend to forget that MSDOS exists.... ;)
Regards, Bruce
In Debian Bug tracker #302412, Santiago Vila Doncel (sanvila-unex) wrote : | #7 |
On Fri, 1 Apr 2005, Bruce Korb wrote:
> On Thursday 31 March 2005 05:30 pm, Santiago Vila wrote:
> > Ok, here is a patch that maybe you can accept:
>
> Looks fine to me. It may be a couple of weeks tho, taxes and my day job
> take priority. :)
Ok. For completeness, I'm also going to change /tmp/foo to /somewhere/foo
in both the manpage and the texinfo file, since those are included in
the Debian binary package. Please remember to rewrite README.OLD and
contrib/shar.sh appropriately for release 4.3.79.
Thanks.
In Debian Bug tracker #302412, Santiago Vila (sanvila) wrote : Bug#302412: fixed in sharutils 1:4.2.1-13 | #8 |
Source: sharutils
Source-Version: 1:4.2.1-13
We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive:
sharutils-
to pool/main/
sharutils_
to pool/main/
sharutils_
to pool/main/
sharutils_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <email address hidden> (supplier of updated sharutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 1 Apr 2005 19:57:40 +0200
Source: sharutils
Binary: sharutils-doc sharutils
Architecture: source i386 all
Version: 1:4.2.1-13
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <email address hidden>
Changed-By: Santiago Vila <email address hidden>
Description:
sharutils - shar, unshar, uuencode, uudecode
sharutils-doc - Documentation for GNU sharutils
Closes: 302412
Changes:
sharutils (1:4.2.1-13) unstable; urgency=medium
.
* Fixed insecure temporary file creation in unshar (Closes: #302412).
Changed also texinfo and shar(1) examples to read /somewhere/foo
instead of /tmp/foo. Reported by Joey Hess.
Files:
70e24dfeee9fbd
b0fd598dffd23e
bda14234eb1b41
4b482981eae8ea
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCTYvwd9U
oqvs3YCwFKboAqx
=4cM1
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Thu, 31 Mar 2005 10:08:15 -0800
From: Bruce Korb <email address hidden>
To: Santiago Vila <email address hidden>
CC: <email address hidden>, <email address hidden>, Joey Hess
<email address hidden>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
Wrong assumption. It was announced on info-gnu. These new
issues will get faster action with a suggested patch :-).
Thanks - Bruce
Santiago Vila wrote:
>
> Hello.
>
> I received this from the Debian bug system:
>
> I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
> a separate directory, I assume it is not considered stable yet.
>
> ---------- Forwarded message ----------
> From: Joey Hess <email address hidden>
> To: Debian Bug Tracking System <email address hidden>
> Date: Thu, 31 Mar 2005 06:51:57 -1000
> Subject: Bug#302412: exploitable temporary file race in unshar
>
> Package: sharutils
> Version: 1:4.2.1-11
> Severity: grave
Since sharutils is still barely on life support, perhaps it is not
quite yet in the grave....;)
> Tags: security
>
> In unshar.c:
>
> sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
> unlink (name_buffer);
>
> if (file = fopen (name_buffer, "w+"), !file)
>
> The unlink makes it difficult, but surely not impossible to race unshar,
> when it is run on stdin, and cause it to fopen a symlink that points at
> an arbitrary file, which will then be replaced with the contents of the
> shell archive.
>
> A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
> include:
>
> - This example in shar(1):
>
> find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
>
> - This example in the info file:
>
> find . -type f -print | shar -S -o /tmp/big.shar
>
> - This example in README.OLD:
>
> e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
>
> - This in contrib/shar.sh:
>
> echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
> echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
> echo 'cat > $temp <<\!!!'
> ...
> echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
>
> -- System Information:
> Debian Release: 3.1
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.27
> Locale: LANG=en_US.UTF-8, LC_CTYPE=
>
> Versions of packages sharutils depends on:
> ii debianutils 2.13.2 Miscellaneous utilities specific t
> ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Thu, 31 Mar 2005 19:36:02 +0200 (CEST)
From: Santiago Vila <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, Joey Hess <email address hidden>
Subject: Bug#302412: exploitable temporary file race in unshar (fwd)
Hello.
I received this from the Debian bug system:
I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
a separate directory, I assume it is not considered stable yet.
---------- Forwarded message ----------
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Date: Thu, 31 Mar 2005 06:51:57 -1000
Subject: Bug#302412: exploitable temporary file race in unshar
Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security
In unshar.c:
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file = fopen (name_buffer, "w+"), !file)
The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.
A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:
- This example in shar(1):
find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
- This example in the info file:
find . -type f -print | shar -S -o /tmp/big.shar
- This example in README.OLD:
e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
- This in contrib/shar.sh:
echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
echo 'cat > $temp <<\!!!'
...
echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=
Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
-- no debconf information
--
see shy jo
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Fri, 1 Apr 2005 03:30:05 +0200 (CEST)
From: Santiago Vila <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>,
Joey Hess <email address hidden>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
On Thu, 31 Mar 2005, Bruce Korb wrote:
> Wrong assumption. It was announced on info-gnu.
May I suggest that sharutils 4.3.77 and 4.3.78 are not put in directories
named "4.3.77" and "REL-4.3.78", then? The current layout is a little
bit misleading.
> These new issues will get faster action with a suggested patch :-).
Ok, here is a patch that maybe you can accept:
diff -ru sharutils-
--- sharutils-
+++ sharutils-
@@ -426,13 +426,15 @@
}
else
{
+#ifdef __MSDOS__
sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
unlink (name_buffer);
if (file = fopen (name_buffer, "w+"), !file)
error (EXIT_FAILURE, errno, name_buffer);
-#ifndef __MSDOS__
- unlink (name_buffer); /* will be deleted on fclose */
+#else
+ if (file = tmpfile(), !file)
+ error (EXIT_FAILURE, errno, "tmpfile");
#endif
while (size_read = fread (copy_buffer, 1, sizeof (copy_buffer), stdin),
This patch tries not to break the MSDOS stuff. For Unix, there is no
need to unlink the file (the tmpfile function already does this), not
to mention we don't even know the name of the file, so we have to
change the error message a little bit to not reference name_buffer,
since it does not have any useful value.
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Fri, 1 Apr 2005 09:00:28 -0800
From: Bruce Korb <email address hidden>
To: <email address hidden>
Cc: Santiago Vila <email address hidden>, <email address hidden>, Joey Hess <email address hidden>,
<email address hidden>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
On Thursday 31 March 2005 05:30 pm, Santiago Vila wrote:
> On Thu, 31 Mar 2005, Bruce Korb wrote:
>
> > Wrong assumption. It was announced on info-gnu.
>
> May I suggest that sharutils 4.3.77 and 4.3.78 are not put in directories
> named "4.3.77" and "REL-4.3.78", then? The current layout is a little
> bit misleading.
The first was a typo that I didn't notice until my script was already running.
It is my intention to release in REL-xxxxx subdirectories. It reduces clutter.
> > These new issues will get faster action with a suggested patch :-).
>
> Ok, here is a patch that maybe you can accept:
Looks fine to me. It may be a couple of weeks tho, taxes and my day job
take priority. :)
> This patch tries not to break the MSDOS stuff.
Thanks. I tend to forget that MSDOS exists.... ;)
Regards, Bruce
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Fri, 1 Apr 2005 19:28:56 +0200 (CEST)
From: Santiago Vila <email address hidden>
To: Bruce Korb <email address hidden>
Cc: <email address hidden>, <email address hidden>,
Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)
On Fri, 1 Apr 2005, Bruce Korb wrote:
> On Thursday 31 March 2005 05:30 pm, Santiago Vila wrote:
> > Ok, here is a patch that maybe you can accept:
>
> Looks fine to me. It may be a couple of weeks tho, taxes and my day job
> take priority. :)
Ok. For completeness, I'm also going to change /tmp/foo to /somewhere/foo
in both the manpage and the texinfo file, since those are included in
the Debian binary package. Please remember to rewrite README.OLD and
contrib/shar.sh appropriately for release 4.3.79.
Thanks.
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Fri, 01 Apr 2005 13:17:40 -0500
From: Santiago Vila <email address hidden>
To: <email address hidden>
Subject: Bug#302412: fixed in sharutils 1:4.2.1-13
Source: sharutils
Source-Version: 1:4.2.1-13
We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive:
sharutils-
to pool/main/
sharutils_
to pool/main/
sharutils_
to pool/main/
sharutils_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <email address hidden> (supplier of updated sharutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 1 Apr 2005 19:57:40 +0200
Source: sharutils
Binary: sharutils-doc sharutils
Architecture: source i386 all
Version: 1:4.2.1-13
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <email address hidden>
Changed-By: Santiago Vila <email address hidden>
Description:
sharutils - shar, unshar, uuencode, uudecode
sharutils-doc - Documentation for GNU sharutils
Closes: 302412
Changes:
sharutils (1:4.2.1-13) unstable; urgency=medium
.
* Fixed insecure temporary file creation in unshar (Closes: #302412).
Changed also texinfo and shar(1) examples to read /somewhere/foo
instead of /tmp/foo. Reported by Joey Hess.
Files:
70e24dfeee9fbd
b0fd598dffd23e
bda14234eb1b41
4b482981eae8ea
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCTYvwd9U
oqvs3YCwFKboAqx
=4cM1
-----END PGP SIGNATURE-----
Martin Pitt (pitti) wrote : | #15 |
Fixed Hoary:
sharutils (1:4.2.1-11ubuntu2) hoary; urgency=low
.
* SECURITY UPDATE: Fix insecure temporary file handling.
* src/unshar.c: Use tmpfile() for creating a temporary file instead of
PID-based naming (Ubuntu #8459).
* doc/sharutils.texi, doc/shar.1: Fixed examples to read /somewhere/foo
instead of /tmp/foo.
* Thanks to Santiago Vila <email address hidden> for the patch.
* References:
http://
Martin Pitt (pitti) wrote : | #16 |
Fixed Warty in USN-104-1.
Changed in sharutils: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #302412 http:// bugs.debian. org/302412