Comment 0 for bug 14782

Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security

In unshar.c:

      sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
      unlink (name_buffer);

      if (file = fopen (name_buffer, "w+"), !file)

The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.

A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:

- This example in shar(1):

              find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big

- This example in the info file:

          find . -type f -print | shar -S -o /tmp/big.shar

- This example in README.OLD:

e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big

- This in contrib/shar.sh:

        echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
        echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
        echo 'cat > $temp <<\!!!'
...
        echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages sharutils depends on:
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information

--
see shy jo