Ubuntu
sharutils package

Bug #14782
Comment #3

Comment 3 for bug 14782

Revision history for this message

In Debian Bug tracker #302412, Bruce Korb (bkorb-veritas) wrote on 2005-03-31: Re: Bug#302412: exploitable temporary file race in unshar (fwd)

Wrong assumption. It was announced on info-gnu. These new
issues will get faster action with a suggested patch :-).

Thanks - Bruce

Santiago Vila wrote:
>
> Hello.
>
> I received this from the Debian bug system:
>
> I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
> a separate directory, I assume it is not considered stable yet.
>
> ---------- Forwarded message ----------
> From: Joey Hess <email address hidden>
> To: Debian Bug Tracking System <email address hidden>
> Date: Thu, 31 Mar 2005 06:51:57 -1000
> Subject: Bug#302412: exploitable temporary file race in unshar
>
> Package: sharutils
> Version: 1:4.2.1-11
> Severity: grave

Since sharutils is still barely on life support, perhaps it is not
quite yet in the grave....;)

> Tags: security
>
> In unshar.c:
>
> sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
> unlink (name_buffer);
>
> if (file = fopen (name_buffer, "w+"), !file)
>
> The unlink makes it difficult, but surely not impossible to race unshar,
> when it is run on stdin, and cause it to fopen a symlink that points at
> an arbitrary file, which will then be replaced with the contents of the
> shell archive.
>
> A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
> include:
>
> - This example in shar(1):
>
> find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
>
> - This example in the info file:
>
> find . -type f -print | shar -S -o /tmp/big.shar
>
> - This example in README.OLD:
>
> e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
>
> - This in contrib/shar.sh:
>
> echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
> echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
> echo 'cat > $temp <<\!!!'
> ...
> echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
>
> -- System Information:
> Debian Release: 3.1
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.27
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>
> Versions of packages sharutils depends on:
> ii debianutils 2.13.2 Miscellaneous utilities specific t
> ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an

Wrong assumption.  It was announced on info-gnu.  These new
issues will get faster action with a suggested patch :-).

Thanks - Bruce

Santiago Vila wrote:
> 
> Hello.
> 
> I received this from the Debian bug system:
> 
> I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
> a separate directory, I assume it is not considered stable yet.
> 
> ---------- Forwarded message ----------
> From: Joey Hess <joeyh@debian.org>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Date: Thu, 31 Mar 2005 06:51:57 -1000
> Subject: Bug#302412: exploitable temporary file race in unshar
> 
> Package: sharutils
> Version: 1:4.2.1-11
> Severity: grave

Since sharutils is still barely on life support, perhaps it is not
quite yet in the grave....;)

> Tags: security
> 
> In unshar.c:
> 
>       sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
>       unlink (name_buffer);
> 
>       if (file = fopen (name_buffer, "w+"), !file)
> 
> The unlink makes it difficult, but surely not impossible to race unshar,
> when it is run on stdin, and cause it to fopen a symlink that points at
> an arbitrary file, which will then be replaced with the contents of the
> shell archive.
> 
> A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
> include:
> 
> - This example in shar(1):
> 
>               find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big
> 
> - This example in the info file:
> 
>           find . -type f -print | shar -S -o /tmp/big.shar
> 
> - This example in README.OLD:
> 
> e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big
> 
> - This in contrib/shar.sh:
> 
>         echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
>         echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
>         echo 'cat > $temp <<\!!!'
> ...
>         echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'
> 
> -- System Information:
> Debian Release: 3.1
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.27
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> 
> Versions of packages sharutils depends on:
> ii  debianutils                 2.13.2       Miscellaneous utilities specific t
> ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

Ubuntusharutils package

Comment 3 for bug 14782

Ubuntu
sharutils package