From crp22@cam.ac.uk  Wed Feb 23 12:20:43 2000
Return-Path: <crp22@cam.ac.uk>
Received: from lilac.csi.cam.ac.uk (lilac.csi.cam.ac.uk [131.111.8.44])
	by hub.freebsd.org (Postfix) with ESMTP id 817EB37B91A
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 23 Feb 2000 12:20:33 -0800 (PST)
	(envelope-from crp22@cam.ac.uk)
Received: from crp22.trin.cam.ac.uk ([131.111.193.222] ident=root)
	by lilac.csi.cam.ac.uk with esmtp (Exim 3.13 #1)
	id 12NiGt-0003en-00
	for FreeBSD-gnats-submit@freebsd.org; Wed, 23 Feb 2000 20:20:31 +0000
Received: (from cph@localhost)
	by crp22.trin.cam.ac.uk (8.9.3/8.9.3) id UAA03039;
	Wed, 23 Feb 2000 20:20:35 GMT
	(envelope-from cph)
Message-Id: <200002232020.UAA03039@crp22.trin.cam.ac.uk>
Date: Wed, 23 Feb 2000 20:20:35 GMT
From: Colin Phipps <crp22@cam.ac.uk>
Reply-To: crp22@cam.ac.uk
To: FreeBSD-gnats-submit@freebsd.org
Subject: send-pr(1) creates unsafe temp files
X-Send-Pr-Version: 3.2

>Number:         16942
>Category:       gnu
>Synopsis:       send-pr(1) creates unsafe temp files
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    sheldonh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 23 12:30:01 PST 2000
>Closed-Date:    Tue Aug 8 05:19:26 PDT 2000
>Last-Modified:  Tue Aug 08 05:20:07 PDT 2000
>Originator:     Colin Phipps
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
n/a
>Environment:

FreeBSD 4.0-CURRENT as of 2000/02/22
 
>Description:

send-pr(1) creates a number of temporary files, in /tmp by default, for 
holding the bug report while it's parsed and edited, and various other 
tasks. These temporary files are opened unsafely with predictable filenames, 
making send-pr vulnerable to a symlink attack.

>How-To-Repeat:

See description.

>Fix:

Use mktemp(1):

*** /usr/bin/send-pr	Tue Feb 22 11:54:39 2000
--- ./send-pr	Wed Feb 23 19:43:16 2000
***************
*** 73,84 ****
  
  #
  
- [ -z "$TMPDIR" ] && TMPDIR=/tmp
- 
- TEMP=$TMPDIR/p$$
- BAD=$TMPDIR/pbad$$
- REF=$TMPDIR/pf$$
- 
  if [ -z "$LOGNAME" -a -n "$USER" ]; then
    LOGNAME=$USER
  fi
--- 73,78 ----
***************
*** 93,111 ****
    ORIGINATOR="`sed -e '1q' $HOME/.fullname`"
  elif [ -f /bin/domainname ]; then
    if [ "`/bin/domainname`" != "" -a -f /usr/bin/ypcat ]; then
      # Must use temp file due to incompatibilities in quoting behavior
      # and to protect shell metacharacters in the expansion of $LOGNAME
      /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
!       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
!     ORIGINATOR="`cat $TEMP`"
!     rm -f $TEMP
    fi
  fi
  
  if [ "$ORIGINATOR" = "" ]; then
!   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
!   ORIGINATOR="`cat $TEMP`"
!   rm -f $TEMP
  fi
  
  if [ -n "$ORGANIZATION" ]; then
--- 87,107 ----
    ORIGINATOR="`sed -e '1q' $HOME/.fullname`"
  elif [ -f /bin/domainname ]; then
    if [ "`/bin/domainname`" != "" -a -f /usr/bin/ypcat ]; then
+     PTEMP=`mktemp -t pt` || exit 1
      # Must use temp file due to incompatibilities in quoting behavior
      # and to protect shell metacharacters in the expansion of $LOGNAME
      /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
!       cut -f5 -d':' | sed -e 's/,.*//' > $PTEMP
!     ORIGINATOR="`cat $PTEMP`"
!     rm -f $PTEMP
    fi
  fi
  
  if [ "$ORIGINATOR" = "" ]; then
!   PTEMP=`mktemp -t pt` || exit 1
!   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $PTEMP
!   ORIGINATOR="`cat $PTEMP`"
!   rm -f $PTEMP
  fi
  
  if [ -n "$ORGANIZATION" ]; then
***************
*** 251,256 ****
--- 247,255 ----
  HOW_TO_REPEAT_C='<Code/input/activities to reproduce the problem (multiple lines)>'
  FIX_C=''
  
+ # Create temporary files, safely
+ REF=`mktemp -t pf` || exit 1
+ TEMP=`mktemp -t pf` || exit 1
  # Catch some signals. ($xs kludge needed by Sun /bin/sh)
  xs=0
  trap 'rm -f $REF $TEMP; exit $xs' 0
***************
*** 482,487 ****
--- 481,487 ----
      case "$input" in
        a*)
  	if [ -z "$BATCH" ]; then
+ 	  BAD=`mktemp -t pbad`
  	  echo "$COMMAND: the problem report remains in $BAD and is not sent."
  	  mv $TEMP $BAD
          else
***************
*** 542,547 ****
--- 542,548 ----
  else
    echo "$COMMAND: mysterious mail failure."
    if [ -z "$BATCH" ]; then
+     BAD=`mktemp -t pbad`
      echo "$COMMAND: the problem report remains in $BAD and is not sent."
      mv $REF $BAD
    else



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: sheldonh 
State-Changed-When: Sat Mar 4 02:10:57 PST 2000 
State-Changed-Why:  
The patch on PR 17175 looks a little cleaner.  How does it look to 
you? 
State-Changed-From-To: feedback->analyzed 
State-Changed-By: sheldonh 
State-Changed-When: Wed Mar 15 04:20:06 PST 2000 
State-Changed-Why:  
The originator has pointed out several advantages which this patch 
has over the one in PR 17175. 


Responsible-Changed-From-To: freebsd-bugs->sheldonh 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Wed Mar 15 04:20:06 PST 2000 
Responsible-Changed-Why:  
I'll take this one, since the file is off the vendor branch already. 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Colin Phipps <crp22@cam.ac.uk>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: gnu/16942: send-pr(1) creates unsafe temp files
Date: Fri, 31 Mar 2000 16:32:30 +0200

 Hi Colin,
 
 Okay, I reckon this one needs to go in. :-)
 
 My only question regarding your patch is that you've changed the prefix
 for temporary files from p to pt.  The manual page says:
 
        /tmp/p$$     copy of PR used in editing session
        /tmp/pf$$    copy of empty PR form, for testing purposes
        /tmp/pbad$$  file for rejected PRs
 
 Is there any reason we can't stick with that convention?
 
 Ciao,
 Sheldon.
 
State-Changed-From-To: analyzed->open 
State-Changed-By: sheldonh 
State-Changed-When: Mon Apr 3 02:50:03 PDT 2000 
State-Changed-Why:  
This PR should have been in the ``open'' state. 
State-Changed-From-To: open->analyzed 
State-Changed-By: sheldonh 
State-Changed-When: Mon Apr 3 02:51:30 PDT 2000 
State-Changed-Why:  
Committed as rev 1.14, left in this state as an MFC reminder. 
Thanks! 
State-Changed-From-To: analyzed->closed 
State-Changed-By: sheldonh 
State-Changed-When: Tue Aug 8 05:19:26 PDT 2000 
State-Changed-Why:  
Merged onto RELENG_4 as rev 1.13.2.2 on 2000-08-08. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16942 
>Unformatted:
