From phil@rivendell.apana.org.au  Sat Mar  4 01:44:40 2000
Return-Path: <phil@rivendell.apana.org.au>
Received: from rivendell.apana.org.au (rivendell.apana.org.au [203.3.126.17])
	by hub.freebsd.org (Postfix) with ESMTP id D06CE37B586
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  4 Mar 2000 01:44:34 -0800 (PST)
	(envelope-from phil@rivendell.apana.org.au)
Received: (from phil@localhost)
	by rivendell.apana.org.au (8.9.3/8.9.3) id TAA45571;
	Sat, 4 Mar 2000 19:44:21 +1000 (EST)
	(envelope-from phil)
Message-Id: <200003040944.TAA45571@rivendell.apana.org.au>
Date: Sat, 4 Mar 2000 19:44:21 +1000 (EST)
From: Phil Homewood <phil@rivendell.apana.org.au>
Reply-To: phil@rivendell.apana.org.au
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] send-pr predictable tempfile vulnerability
X-Send-Pr-Version: 3.2

>Number:         17175
>Category:       gnu
>Synopsis:       [PATCH] send-pr predictable tempfile vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar  4 01:50:01 PST 2000
>Closed-Date:    Wed Mar 15 04:21:27 PST 2000
>Last-Modified:  Wed Mar 15 04:22:23 PST 2000
>Originator:     Phil Homewood
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
>Environment:

     $FreeBSD: src/gnu/usr.bin/send-pr/send-pr.sh,v 1.9.2.3 1999/08/29 14:35:18 peter Exp $

>Description:

	send-pr overwrites files named after (predictable) PIDs
	in /tmp, following symlinks. The exploits are obvious.

>How-To-Repeat:

	Create lots of symlinks from /tmp/p$$ to something
	interesting. Run send-pr, or wait for your victim to do
	so. Observe target file now containing victim's name.

>Fix:
	
	Workaround: set TMPDIR to something safe before invoking
	send-pr.

	Fix:

--- src/gnu/usr.bin/send-pr/send-pr.sh.orig	Sat Sep  4 06:06:55 1999
+++ src/gnu/usr.bin/send-pr/send-pr.sh	Sat Mar  4 19:33:22 2000
@@ -73,11 +73,9 @@
 
 #
 
-[ -z "$TMPDIR" ] && TMPDIR=/tmp
-
-TEMP=$TMPDIR/p$$
-BAD=$TMPDIR/pbad$$
-REF=$TMPDIR/pf$$
+TEMP=`mktemp -t send-pr.p` || exit 1
+BAD=`mktemp -t send-pr.pbad` || exit 1
+REF=`mktemp -t send-pr.pf` || exit 1
 
 if [ -z "$LOGNAME" -a -n "$USER" ]; then
   LOGNAME=$USER




	Additional note: Do not edit /usr/bin/send-pr while sending
	a PR. You will lose all your hard work when you exit.

>Release-Note:
>Audit-Trail:

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: phil@rivendell.apana.org.au
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability 
Date: Sat, 04 Mar 2000 12:03:23 +0200

 On Sat, 04 Mar 2000 19:44:21 +1000, Phil Homewood wrote:
 
 > 	Create lots of symlinks from /tmp/p$$ to something
 > 	interesting. Run send-pr, or wait for your victim to do
 > 	so. Observe target file now containing victim's name.
 
 This only works when the user running send-pr has write permission on
 the affected file, right?
 
 While this should be fixed, it's certainly not a show-stopper if it's
 just a user-to-user annoyance.  Nobody sensible runs send-pr as root.
 
 So, assuming I'm right about the urgency involved,  have you
 investigated the possibility of a patch from the vendor?  Although the
 send-pr.sh file isn't on the vendor branch any more, it'd make sense to
 try to use a vendor-supplied patch.
 
 Ciao,
 Sheldon.
 

From: Phil Homewood <phil@rivendell.apana.org.au>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability
Date: Sat, 4 Mar 2000 20:07:01 +1000

 OOPS. Previous patch is mildly bogus. This one works better.
 
 --- src/gnu/usr.bin/send-pr/send-pr.sh.orig     Sat Sep  4 06:06:55 1999
 +++ src/gnu/usr.bin/send-pr/send-pr.sh  Sat Mar  4 20:01:14 2000
 @@ -75,9 +75,9 @@
  
  [ -z "$TMPDIR" ] && TMPDIR=/tmp
  
 -TEMP=$TMPDIR/p$$
 -BAD=$TMPDIR/pbad$$
 -REF=$TMPDIR/pf$$
 +TEMP=`mktemp -t send-pr.p` || exit 1
 +BAD=`mktemp -t send-pr.pbad` || exit 1
 +REF=`mktemp -t send-pr.pf` || exit 1
  
  if [ -z "$LOGNAME" -a -n "$USER" ]; then
    LOGNAME=$USER
 
 -- 
 Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
            Member, Australian Public Access Network Association
 

From: Phil Homewood <phil@rivendell.apana.org.au>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability
Date: Sat, 4 Mar 2000 20:12:12 +1000

 --3V7upXqbjpZ4EhLz
 Content-Type: text/plain; charset=us-ascii
 
 Sheldon Hearn wrote:
 > This only works when the user running send-pr has write permission on
 > the affected file, right?
 
 Yes.
 
 > While this should be fixed, it's certainly not a show-stopper if it's
 > just a user-to-user annoyance.  Nobody sensible runs send-pr as root.
 
 You're assuming sensible users. Bad move. :-)
 I still think it's serious enough to warrant a fix.
 
 > So, assuming I'm right about the urgency involved,  have you
 > investigated the possibility of a patch from the vendor?  Although the
 > send-pr.sh file isn't on the vendor branch any more, it'd make sense to
 > try to use a vendor-supplied patch.
 
 PR has been submitted to vendor as well. "gnats/52" is the Cygnus
 tracking ID.
 
 Note too my followup patch (initial one erroneously took out the
 '[ -z "$TMPDIR" ] && TMPDIR=/tmp' line which is still needed.
 Sorry 'bout that. :-)
 -- 
 Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
            Member, Australian Public Access Network Association
 
 --3V7upXqbjpZ4EhLz
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: 2.6.3ia
 
 iQCVAwUBOMDhek3NkkPt4cy1AQHIzwP/RDJhh1PcRbED04LtRHg6C/DPcMhMegcs
 5+OVw+ZkIteRFAPY6KX4XXrbVPO8/ouoFqNZIc8u2i9SEgVuXXANAyXjwyf8hBh8
 ucuLyLzSWiUdxFaD2P+zcomO+jhDFthPh6fEQs+De/GH81XIGDMKs+wbzrdEsrW6
 XNwLIiTXmbo=
 =PLen
 -----END PGP SIGNATURE-----
 
 --3V7upXqbjpZ4EhLz--
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Phil Homewood <phil@rivendell.apana.org.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability 
Date: Sat, 04 Mar 2000 12:16:31 +0200

 On Sat, 04 Mar 2000 20:12:12 +1000, Phil Homewood wrote:
 
 > I still think it's serious enough to warrant a fix.
 
 Oh absolutely!  I'm just saying that we can probably wait for the GNU
 people to settle on an official patch before applying it.
 
 How long do you think it'll take for them to close their PR?
 
 Ciao,
 Sheldon.
 

From: Phil Homewood <phil@rivendell.apana.org.au>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability
Date: Sat, 4 Mar 2000 20:20:13 +1000

 --MW5yreqqjyrRcusr
 Content-Type: text/plain; charset=us-ascii
 
 Sheldon Hearn wrote:
 > Oh absolutely!  I'm just saying that we can probably wait for the GNU
 > people to settle on an official patch before applying it.
 > 
 > How long do you think it'll take for them to close their PR?
 
 No idea. First time I've ever logged a PR there, and I submitted
 it around the same time I submitted this one. (Didn't supply a
 patch to the GNATS people though, as we're not on vendor branch,
 and mktemp(1) isn't exactly portable anyway.)
 -- 
 Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
            Member, Australian Public Access Network Association
 
 --MW5yreqqjyrRcusr
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: 2.6.3ia
 
 iQCVAwUBOMDjW03NkkPt4cy1AQGW2wQAm6M7SobiH+YwXC+rhnB9zPH6+/o1wuLi
 L1Fjw7sjuxTL9F/0Wpwjto+LycP/OVXUfpwpqmtVQdEzXrp3SmUbm0KfHp7J1uNR
 FBR5d458YQR5H9iUNHP6ARa9Gm6oJiJqA8EwRKXHNMNPnFJaxRczTGbLXjvIdnXg
 rca3DUxGWTU=
 =FeEv
 -----END PGP SIGNATURE-----
 
 --MW5yreqqjyrRcusr--
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Phil Homewood <phil@rivendell.apana.org.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability 
Date: Wed, 15 Mar 2000 12:18:07 +0200

 On Sat, 04 Mar 2000 20:20:13 +1000, Phil Homewood wrote:
 
 > No idea. First time I've ever logged a PR there, and I submitted
 > it around the same time I submitted this one.
 
 Any news from the GNATS people?
 
 Ciao,
 Sheldon.
 

From: Phil Homewood <phil@rivendell.apana.org.au>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability
Date: Wed, 15 Mar 2000 22:08:13 +1000

 --d6Gm4EdcadzBjdND
 Content-Type: text/plain; charset=us-ascii
 
 Sheldon Hearn wrote:
 > Any news from the GNATS people?
 
 None. The PR is sitting "open", nobody has yet touched it.
 -- 
 Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
            Member, Australian Public Access Network Association
 
 --d6Gm4EdcadzBjdND
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: 2.6.3ia
 
 iQCVAwUBOM99K03NkkPt4cy1AQFcIwQAnGxgu8dQgRj8q4CzrFYqrw9iQfWG/t43
 /5H9mqwighZ3faXrxFdtn7P5509v8pIhVKLPXNwrqg7ZuV3a5BI4O5wbITW1KJw4
 o6TLaaD1CPc/rVjbCvI+rV5RZYdlE3I8Ui3LHgFtqGE6fa4C+iiWra5F6D9+frWG
 kPEJvs4Xi4M=
 =LzDW
 -----END PGP SIGNATURE-----
 
 --d6Gm4EdcadzBjdND--
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Phil Homewood <phil@rivendell.apana.org.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability 
Date: Wed, 15 Mar 2000 14:11:41 +0200

 On Wed, 15 Mar 2000 22:08:13 +1000, Phil Homewood wrote:
 
 > None. The PR is sitting "open", nobody has yet touched it.
 
 Well, since the file is off the vendor branch, we may as well smack it
 if the GNATS people aren't in hurry. :-)
 
 Ciao,
 Sheldon.
 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Wed Mar 15 04:21:27 PST 2000 
State-Changed-Why:  
Duplicate of PR 16942.  There's a forward reference on that PR to this 
one, so closing this one loses us nothing. 
>Unformatted:
