Bug#290974: apache: Temporary usage bugs that can be used in symlink attacks
Package: apache
Version: 1.3.33-2
Priority: grave
Tags: security sid sarge
Hi, I've found unsafe uses of /tmp in some of Apache's scripts in the
source, one of this (check_forensic) is installed in Debian's apache-utils
package and IMHO should be fixed. They are rather low risk, but I have to
set the priority to grave in any case (since they qualify)
The fix is rather straightforward (use mktemp or tempfile instead of the $$
construct and add a trap to remove the temporary files) and it is needed,
specially for check_forensic.
In the check_forensic script, for example, an attacker could just monitor
/tmp/ usage and construct symlinks to the fc-XX.$$ as soon as "sees" that
the fc-all.$$ file is being used.
I've verified that none of these issues affect woody's Apache
(1.3.26-0woody6). The fnm.sh script was there but it is not installed with
any package and the check_forensic script was introduced later on.
The attached (untested) patch should fix these issues, hope it helps.
Please fix fnm.sh even if not being installed in any Debian packages, just
to ease the work of automatic source-code review tools.
Regards
Javier
diff -Nru build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh build-tree-apache/apache_1.3.33/src/helpers/fmn.sh
--- build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh 2004-02-16 23:23:09.000000000 +0100
+++ build-tree-apache/apache_1.3.33/src/helpers/fmn.sh 2005-01-18 00:51:03.000000000 +0100
@@ -24,8 +24,8 @@
modfile=$1
# the part from the Configure script
-tmpfile=${TMPDIR-/tmp}/fmn.tmp.$$
-rm -f $tmpfile
+tmpfile=`mktemp -t fmn.XXXXXX || tempfile --prefix=fmn` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$tmpfile\";" 0 1 2 3 13 15
modname=''
ext=`echo $modfile | sed 's/^.*\.//'`
modbase=`echo $modfile | sed 's/\.[^.]*$//'`
@@ -52,8 +52,8 @@
modname=`echo $modbase | sed 's/^.*\///' | \
sed 's/^mod_//' | sed 's/^lib//' | sed 's/$/_module/'`
fi
-rm -f $tmpfile
# output: the name of the module structure symbol
echo "$modname"
+exit 0
diff -Nru build-tree-apache.orig/apache_1.3.33/src/support/check_forensic build-tree-apache/apache_1.3.33/src/support/check_forensic
--- build-tree-apache.orig/apache_1.3.33/src/support/check_forensic 2005-01-18 00:49:23.000000000 +0100
+++ build-tree-apache/apache_1.3.33/src/support/check_forensic 2005-01-18 00:53:32.000000000 +0100
@@ -7,9 +7,14 @@
F=$1
-cut -f 1 -d '|' $F > /tmp/fc-all.$$
-grep + < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-in.$$
-grep -- - < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-out.$$
+all=`mktemp -t fcall.XXXXXX || tempfile --prefix=fcall` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+in=`mktemp -t fcin.XXXXXX || tempfile --prefix=fcin` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+out=`mktemp -t fcout.XXXXXX || tempfile --prefix=fcout` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$all\" \"$in\" \"$out\";" 0 1 2 3 13 15
+
+cut -f 1 -d '|' $F > $all
+grep + < $all | cut -c2- | sort > $in
+grep -- - < $all | cut -c2- | sort > $out
# use -i instead of -I for GNU xargs
-join -v 1 /tmp/fc-in.$$ /tmp/fc-out.$$ | xargs -ixx egrep "^\\+xx" $F
-rm /tmp/fc-all.$$ /tmp/fc-in.$$ /tmp/fc-out.$$
+join -v 1 $in $out | xargs -ixx egrep "^\\+xx" $F
+exit 0
Reply to: