Bug#290974: apache: Temporary usage bugs that can be used in symlink attacks

[Javier Fernández-Sanguino Peña <jfs@computer.org>]

Package: apache
Version: 1.3.33-2
Priority: grave
Tags: security sid sarge

Hi, I've found unsafe uses of /tmp in some of Apache's scripts in the 
source, one of this (check_forensic) is installed in Debian's apache-utils 
package and IMHO should be fixed. They are rather low risk, but I have to 
set the priority to grave in any case (since they qualify)

The fix is rather straightforward (use mktemp or tempfile instead of the $$ 
construct and add a trap to remove the temporary files) and it is needed, 
specially for check_forensic.

In the check_forensic script, for example, an attacker could just monitor
/tmp/ usage and construct symlinks to the fc-XX.$$ as soon as "sees" that
the fc-all.$$ file is being used. 

I've verified that none of these issues affect woody's Apache 
(1.3.26-0woody6). The fnm.sh script was there but it is not installed with 
any package and the check_forensic script was introduced later on.

The attached (untested) patch should fix these issues, hope it helps. 
Please fix fnm.sh even if not being installed in any Debian packages, just 
to ease the work of automatic source-code review tools.


Regards


Javier

diff -Nru build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh build-tree-apache/apache_1.3.33/src/helpers/fmn.sh
--- build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh	2004-02-16 23:23:09.000000000 +0100
+++ build-tree-apache/apache_1.3.33/src/helpers/fmn.sh	2005-01-18 00:51:03.000000000 +0100
@@ -24,8 +24,8 @@
 modfile=$1
 
 #   the part from the Configure script
-tmpfile=${TMPDIR-/tmp}/fmn.tmp.$$
-rm -f $tmpfile
+tmpfile=`mktemp -t fmn.XXXXXX || tempfile --prefix=fmn` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$tmpfile\";" 0 1 2 3 13 15
 modname=''
 ext=`echo $modfile | sed 's/^.*\.//'`
 modbase=`echo $modfile | sed 's/\.[^.]*$//'`
@@ -52,8 +52,8 @@
     modname=`echo $modbase | sed 's/^.*\///' | \
         sed 's/^mod_//' | sed 's/^lib//' | sed 's/$/_module/'`
 fi
-rm -f $tmpfile
 
 #   output: the name of the module structure symbol
 echo "$modname"
 
+exit 0
diff -Nru build-tree-apache.orig/apache_1.3.33/src/support/check_forensic build-tree-apache/apache_1.3.33/src/support/check_forensic
--- build-tree-apache.orig/apache_1.3.33/src/support/check_forensic	2005-01-18 00:49:23.000000000 +0100
+++ build-tree-apache/apache_1.3.33/src/support/check_forensic	2005-01-18 00:53:32.000000000 +0100
@@ -7,9 +7,14 @@
 
 F=$1
 
-cut -f 1 -d '|' $F  > /tmp/fc-all.$$
-grep + < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-in.$$
-grep -- - < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-out.$$
+all=`mktemp -t fcall.XXXXXX || tempfile --prefix=fcall` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+in=`mktemp -t fcin.XXXXXX || tempfile --prefix=fcin` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+out=`mktemp -t fcout.XXXXXX || tempfile --prefix=fcout` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$all\" \"$in\" \"$out\";" 0 1 2 3 13 15
+
+cut -f 1 -d '|' $F  > $all
+grep + < $all | cut -c2- | sort > $in
+grep -- - < $all | cut -c2- | sort > $out
 # use -i instead of -I for GNU xargs
-join -v 1 /tmp/fc-in.$$ /tmp/fc-out.$$ | xargs -ixx egrep "^\\+xx" $F
-rm /tmp/fc-all.$$ /tmp/fc-in.$$ /tmp/fc-out.$$
+join -v 1 $in $out | xargs -ixx egrep "^\\+xx" $F
+exit 0