exploitable temporary file race in unshar

Automatically imported from Debian bug report #302412 http://bugs.debian.org/302412

Message-ID: <email address hidden>
Date: Thu, 31 Mar 2005 06:51:57 -1000
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: exploitable temporary file race in unshar

--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security

In unshar.c:

      sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
      unlink (name_buffer);

      if (file =3D fopen (name_buffer, "w+"), !file)

The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.

A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:

- This example in shar(1):

              find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big

- This example in the info file:

          find . -type f -print | shar -S -o /tmp/big.shar

- This example in README.OLD:

e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big

- This in contrib/shar.sh:

        echo 'temp=3D/tmp/shar$$; dtemp=3D/tmp/.shar$$'
        echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
        echo 'cat > $temp <<\!!!'
=2E..
        echo "wc $contents | sed 's=3D[^ ]*/=3D=3D' | "'diff -b $temp - >$d=
temp'

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)

Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specif=
ic t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie=
s an

-- no debconf information

--=20
see shy jo

--ibTvN161/egqYuK8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCTCqsd8HHehbQuO8RAnCRAJ9NIrBNRnIIaG0xD4rjC90+a+QvZgCgpTmu
KplWlfZZjfqFNsd6U+9jmm4=
=DTZO
-----END PGP SIGNATURE-----

--ibTvN161/egqYuK8--

Message-ID: <email address hidden>
Date: Thu, 31 Mar 2005 10:08:15 -0800
From: Bruce Korb <email address hidden>
To: Santiago Vila <email address hidden>
CC: <email address hidden>, <email address hidden>, Joey Hess
    <email address hidden>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)

Wrong assumption. It was announced on info-gnu. These new
issues will get faster action with a suggested patch :-).

Thanks - Bruce

Santiago Vila wrote:
>
> Hello.
>
> I received this from the Debian bug system:
>
> I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
> a separate directory, I assume it is not considered stable yet.
>
> ---------- Forwarded message ----------
> From: Joey Hess <email address hidden>
> To: Debian Bug Tracking System <email address hidden>
> Date: Thu, 31 Mar 2005 06:51:57 -1000
> Subject: Bug#302412: exploitable temporary file race in unshar
>
> Package: sharutils
> Version: 1:4.2.1-11
> Severity: grave

Since sharutils is still barely on life support, perhaps it is not
quite yet in the grave....;)

> Tags: security
>
> In unshar.c:
>
> sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
> unlink (name_buffer);
>
> if (file = fopen (name_buffer, "w+"), !file)
>
> The unlink makes it difficult, but surely not impossible to race unshar,
> when it is run on stdin, and cause it to fopen a symlink that points at
> an arbitrary file, which will then be replaced with the contents of the
> shell archive.
>
> A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
> include:
>
> - This example in shar(1):
>
> find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
>
> - This example in the info file:
>
> find . -type f -print | shar -S -o /tmp/big.shar
>
> - This example in README.OLD:
>
> e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
>
> - This in contrib/shar.sh:
>
> echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
> echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
> echo 'cat > $temp <<\!!!'
> ...
> echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
>
> -- System Information:
> Debian Release: 3.1
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.27
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>
> Versions of packages sharutils depends on:
> ii debianutils 2.13.2 Miscellaneous utilities specific t
> ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an

Message-ID: <email address hidden>
Date: Thu, 31 Mar 2005 19:36:02 +0200 (CEST)
From: Santiago Vila <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, Joey Hess <email address hidden>
Subject: Bug#302412: exploitable temporary file race in unshar (fwd)

Hello.

I received this from the Debian bug system:

I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
a separate directory, I assume it is not considered stable yet.

---------- Forwarded message ----------
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Date: Thu, 31 Mar 2005 06:51:57 -1000
Subject: Bug#302412: exploitable temporary file race in unshar

Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security

In unshar.c:

      sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
      unlink (name_buffer);

      if (file = fopen (name_buffer, "w+"), !file)

The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.

A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:

- This example in shar(1):

              find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big

- This example in the info file:

          find . -type f -print | shar -S -o /tmp/big.shar

- This example in README.OLD:

e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big

- This in contrib/shar.sh:

        echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
        echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
        echo 'cat > $temp <<\!!!'
...
        echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information

--
see shy jo

Message-ID: <email address hidden>
Date: Fri, 1 Apr 2005 03:30:05 +0200 (CEST)
From: Santiago Vila <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>,
 Joey Hess <email address hidden>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)

On Thu, 31 Mar 2005, Bruce Korb wrote:

> Wrong assumption. It was announced on info-gnu.

May I suggest that sharutils 4.3.77 and 4.3.78 are not put in directories
named "4.3.77" and "REL-4.3.78", then? The current layout is a little
bit misleading.

> These new issues will get faster action with a suggested patch :-).

Ok, here is a patch that maybe you can accept:

diff -ru sharutils-4.2.1.orig/src/unshar.c sharutils-4.2.1/src/unshar.c
--- sharutils-4.2.1.orig/src/unshar.c 2005-04-01 03:04:23.982932000 +0200
+++ sharutils-4.2.1/src/unshar.c 2005-04-01 03:10:59.278838528 +0200
@@ -426,13 +426,15 @@
       }
   else
     {
+#ifdef __MSDOS__
       sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
       unlink (name_buffer);

       if (file = fopen (name_buffer, "w+"), !file)
  error (EXIT_FAILURE, errno, name_buffer);
-#ifndef __MSDOS__
- unlink (name_buffer); /* will be deleted on fclose */
+#else
+ if (file = tmpfile(), !file)
+ error (EXIT_FAILURE, errno, "tmpfile");
 #endif

       while (size_read = fread (copy_buffer, 1, sizeof (copy_buffer), stdin),

This patch tries not to break the MSDOS stuff. For Unix, there is no
need to unlink the file (the tmpfile function already does this), not
to mention we don't even know the name of the file, so we have to
change the error message a little bit to not reference name_buffer,
since it does not have any useful value.

Message-Id: <email address hidden>
Date: Fri, 1 Apr 2005 09:00:28 -0800
From: Bruce Korb <email address hidden>
To: <email address hidden>
Cc: Santiago Vila <email address hidden>, <email address hidden>, Joey Hess <email address hidden>,
 <email address hidden>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)

On Thursday 31 March 2005 05:30 pm, Santiago Vila wrote:
> On Thu, 31 Mar 2005, Bruce Korb wrote:
>
> > Wrong assumption. It was announced on info-gnu.
>
> May I suggest that sharutils 4.3.77 and 4.3.78 are not put in directories
> named "4.3.77" and "REL-4.3.78", then? The current layout is a little
> bit misleading.

The first was a typo that I didn't notice until my script was already running.
It is my intention to release in REL-xxxxx subdirectories. It reduces clutter.

> > These new issues will get faster action with a suggested patch :-).
>
> Ok, here is a patch that maybe you can accept:

Looks fine to me. It may be a couple of weeks tho, taxes and my day job
take priority. :)

> This patch tries not to break the MSDOS stuff.

Thanks. I tend to forget that MSDOS exists.... ;)

Regards, Bruce

Message-ID: <email address hidden>
Date: Fri, 1 Apr 2005 19:28:56 +0200 (CEST)
From: Santiago Vila <email address hidden>
To: Bruce Korb <email address hidden>
Cc: <email address hidden>, <email address hidden>,
 Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#302412: exploitable temporary file race in unshar (fwd)

On Fri, 1 Apr 2005, Bruce Korb wrote:

> On Thursday 31 March 2005 05:30 pm, Santiago Vila wrote:
> > Ok, here is a patch that maybe you can accept:
>
> Looks fine to me. It may be a couple of weeks tho, taxes and my day job
> take priority. :)

Ok. For completeness, I'm also going to change /tmp/foo to /somewhere/foo
in both the manpage and the texinfo file, since those are included in
the Debian binary package. Please remember to rewrite README.OLD and
contrib/shar.sh appropriately for release 4.3.79.

Thanks.

Message-Id: <email address hidden>
Date: Fri, 01 Apr 2005 13:17:40 -0500
From: Santiago Vila <email address hidden>
To: <email address hidden>
Subject: Bug#302412: fixed in sharutils 1:4.2.1-13

Source: sharutils
Source-Version: 1:4.2.1-13

We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive:

sharutils-doc_4.2.1-13_all.deb
  to pool/main/s/sharutils/sharutils-doc_4.2.1-13_all.deb
sharutils_4.2.1-13.diff.gz
  to pool/main/s/sharutils/sharutils_4.2.1-13.diff.gz
sharutils_4.2.1-13.dsc
  to pool/main/s/sharutils/sharutils_4.2.1-13.dsc
sharutils_4.2.1-13_i386.deb
  to pool/main/s/sharutils/sharutils_4.2.1-13_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <email address hidden> (supplier of updated sharutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 1 Apr 2005 19:57:40 +0200
Source: sharutils
Binary: sharutils-doc sharutils
Architecture: source i386 all
Version: 1:4.2.1-13
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <email address hidden>
Changed-By: Santiago Vila <email address hidden>
Description:
 sharutils - shar, unshar, uuencode, uudecode
 sharutils-doc - Documentation for GNU sharutils
Closes: 302412
Changes:
 sharutils (1:4.2.1-13) unstable; urgency=medium
 .
   * Fixed insecure temporary file creation in unshar (Closes: #302412).
     Changed also texinfo and shar(1) examples to read /somewhere/foo
     instead of /tmp/foo. Reported by Joey Hess.
Files:
 70e24dfeee9fbd9702dd5291444bf7a6 616 utils standard sharutils_4.2.1-13.dsc
 b0fd598dffd23e0d77a910a50a37ac93 8304 utils standard sharutils_4.2.1-13.diff.gz
 bda14234eb1b418d42184cf3b2e39008 27956 doc optional sharutils-doc_4.2.1-13_all.deb
 4b482981eae8ea71c85427f7c1100db2 111344 utils standard sharutils_4.2.1-13_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCTYvwd9Uuvj7yPNYRArcTAKCB3v2NrpdqiMi+jzltHbcmg1wFxQCePU9b
oqvs3YCwFKboAqxDBFywBYc=
=4cM1
-----END PGP SIGNATURE-----

Fixed Hoary:

 sharutils (1:4.2.1-11ubuntu2) hoary; urgency=low
 .
   * SECURITY UPDATE: Fix insecure temporary file handling.
   * src/unshar.c: Use tmpfile() for creating a temporary file instead of
     PID-based naming (Ubuntu #8459).
   * doc/sharutils.texi, doc/shar.1: Fixed examples to read /somewhere/foo
     instead of /tmp/foo.
   * Thanks to Santiago Vila <email address hidden> for the patch.
   * References:
     http://bugs.debian.org/302412

Fixed Warty in USN-104-1.