Bug 17175

Summary:	[PATCH] send-pr predictable tempfile vulnerability
Product:	Base System	Reporter:	phil <phil>
Component:	gnu	Assignee:	freebsd-bugs (Nobody) <bugs>
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	3.4-STABLE
Hardware:	Any
OS:	Any

Description phil 2000-03-04 09:50:01 UTC

	send-pr overwrites files named after (predictable) PIDs
	in /tmp, following symlinks. The exploits are obvious.

Fix: Workaround: set TMPDIR to something safe before invoking
	send-pr.

	Fix:



Additional note: Do not edit /usr/bin/send-pr while sending
	a PR. You will lose all your hard work when you exit.--ydq77C3ZPxM5c4CVHoaJ7ajA5Cie4ki3Q8CYhEgyXPA6fYXq
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

--- src/gnu/usr.bin/send-pr/send-pr.sh.orig	Sat Sep  4 06:06:55 1999
+++ src/gnu/usr.bin/send-pr/send-pr.sh	Sat Mar  4 19:33:22 2000
@@ -73,11 +73,9 @@
 
 #
 
-[ -z "$TMPDIR" ] && TMPDIR=/tmp
-
-TEMP=$TMPDIR/p$$
-BAD=$TMPDIR/pbad$$
-REF=$TMPDIR/pf$$
+TEMP=`mktemp -t send-pr.p` || exit 1
+BAD=`mktemp -t send-pr.pbad` || exit 1
+REF=`mktemp -t send-pr.pf` || exit 1
 
 if [ -z "$LOGNAME" -a -n "$USER" ]; then
   LOGNAME=$USER
How-To-Repeat: 
	Create lots of symlinks from /tmp/p$$ to something
	interesting. Run send-pr, or wait for your victim to do
	so. Observe target file now containing victim's name.

Comment 1 Sheldon Hearn 2000-03-04 10:03:23 UTC

On Sat, 04 Mar 2000 19:44:21 +1000, Phil Homewood wrote:

> 	Create lots of symlinks from /tmp/p$$ to something
> 	interesting. Run send-pr, or wait for your victim to do
> 	so. Observe target file now containing victim's name.

This only works when the user running send-pr has write permission on
the affected file, right?

While this should be fixed, it's certainly not a show-stopper if it's
just a user-to-user annoyance.  Nobody sensible runs send-pr as root.

So, assuming I'm right about the urgency involved,  have you
investigated the possibility of a patch from the vendor?  Although the
send-pr.sh file isn't on the vendor branch any more, it'd make sense to
try to use a vendor-supplied patch.

Ciao,
Sheldon.

Comment 2 phil 2000-03-04 10:07:01 UTC

OOPS. Previous patch is mildly bogus. This one works better.

--- src/gnu/usr.bin/send-pr/send-pr.sh.orig     Sat Sep  4 06:06:55 1999
+++ src/gnu/usr.bin/send-pr/send-pr.sh  Sat Mar  4 20:01:14 2000
@@ -75,9 +75,9 @@
 
 [ -z "$TMPDIR" ] && TMPDIR=/tmp
 
-TEMP=$TMPDIR/p$$
-BAD=$TMPDIR/pbad$$
-REF=$TMPDIR/pf$$
+TEMP=`mktemp -t send-pr.p` || exit 1
+BAD=`mktemp -t send-pr.pbad` || exit 1
+REF=`mktemp -t send-pr.pf` || exit 1
 
 if [ -z "$LOGNAME" -a -n "$USER" ]; then
   LOGNAME=$USER

-- 
Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
           Member, Australian Public Access Network Association

Comment 3 phil 2000-03-04 10:12:12 UTC

Sheldon Hearn wrote:
> This only works when the user running send-pr has write permission on
> the affected file, right?

Yes.

> While this should be fixed, it's certainly not a show-stopper if it's
> just a user-to-user annoyance.  Nobody sensible runs send-pr as root.

You're assuming sensible users. Bad move. :-)
I still think it's serious enough to warrant a fix.

> So, assuming I'm right about the urgency involved,  have you
> investigated the possibility of a patch from the vendor?  Although the
> send-pr.sh file isn't on the vendor branch any more, it'd make sense to
> try to use a vendor-supplied patch.

PR has been submitted to vendor as well. "gnats/52" is the Cygnus
tracking ID.

Note too my followup patch (initial one erroneously took out the
'[ -z "$TMPDIR" ] && TMPDIR=/tmp' line which is still needed.
Sorry 'bout that. :-)
-- 
Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
           Member, Australian Public Access Network Association

Comment 4 Sheldon Hearn 2000-03-04 10:16:31 UTC

On Sat, 04 Mar 2000 20:12:12 +1000, Phil Homewood wrote:

> I still think it's serious enough to warrant a fix.

Oh absolutely!  I'm just saying that we can probably wait for the GNU
people to settle on an official patch before applying it.

How long do you think it'll take for them to close their PR?

Ciao,
Sheldon.

Comment 5 phil 2000-03-04 10:20:13 UTC

Sheldon Hearn wrote:
> Oh absolutely!  I'm just saying that we can probably wait for the GNU
> people to settle on an official patch before applying it.
> 
> How long do you think it'll take for them to close their PR?

No idea. First time I've ever logged a PR there, and I submitted
it around the same time I submitted this one. (Didn't supply a
patch to the GNATS people though, as we're not on vendor branch,
and mktemp(1) isn't exactly portable anyway.)
-- 
Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
           Member, Australian Public Access Network Association

Comment 6 Sheldon Hearn 2000-03-15 10:18:07 UTC

On Sat, 04 Mar 2000 20:20:13 +1000, Phil Homewood wrote:

> No idea. First time I've ever logged a PR there, and I submitted
> it around the same time I submitted this one.

Any news from the GNATS people?

Ciao,
Sheldon.

Comment 7 phil 2000-03-15 12:08:13 UTC

Sheldon Hearn wrote:
> Any news from the GNATS people?

None. The PR is sitting "open", nobody has yet touched it.
-- 
Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
           Member, Australian Public Access Network Association

Comment 8 Sheldon Hearn 2000-03-15 12:11:41 UTC

On Wed, 15 Mar 2000 22:08:13 +1000, Phil Homewood wrote:

> None. The PR is sitting "open", nobody has yet touched it.

Well, since the file is off the vendor branch, we may as well smack it
if the GNATS people aren't in hurry. :-)

Ciao,
Sheldon.

Comment 9 Sheldon Hearn freebsd_committer

2000-03-15 12:21:27 UTC

State Changed
From-To: open->closed

Duplicate of PR 16942.  There's a forward reference on that PR to this 
one, so closing this one loses us nothing.