Bug#117283: marked as done (modconf: Unsafe temp file handling in modconf(8))

To: David Kimdon <dwhedon@debian.org>
Cc: Boot Floppies Team <debian-boot@lists.debian.org>
Subject: Bug#117283: marked as done (modconf: Unsafe temp file handling in modconf(8))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 12 Sep 2002 01:18:05 -0500
Message-id: <[🔎] handler.117283.D117283.103181142731552.ackdone@bugs.debian.org>
In-reply-to: <20020912062143.GA12347@kimdon.org>
References: <20020912062143.GA12347@kimdon.org> <20011027142736.A7599@cph.demon.co.uk>
Your message dated Wed, 11 Sep 2002 23:21:43 -0700
with message-id <20020912062143.GA12347@kimdon.org>
and subject line these modconf bugs are fixed and done
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Oct 2001 13:25:02 +0000
>From cph@cph.demon.co.uk Sat Oct 27 08:25:02 2001
Return-path: <cph@cph.demon.co.uk>
Received: from anchor-post-34.mail.demon.net [194.217.242.92] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 15xTSQ-00032R-00; Sat, 27 Oct 2001 08:25:02 -0500
Received: from cph.demon.co.uk ([158.152.107.46] helo=micro.no28.org.uk)
	by anchor-post-34.mail.demon.net with esmtp (Exim 2.12 #1)
	id 15xTSK-000KzA-0Y
	for submit@bugs.debian.org; Sat, 27 Oct 2001 14:24:57 +0100
Received: by micro.no28.org.uk (Postfix, from userid 1000)
	id 8B907864; Sat, 27 Oct 2001 14:27:36 +0100 (BST)
Date: Sat, 27 Oct 2001 14:27:36 +0100
From: Colin Phipps <cph@cph.demon.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: modconf: Unsafe temp file handling in modconf(8)
Message-ID: <20011027142736.A7599@cph.demon.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.23i
X-Reportbug-Version: 1.31
Delivered-To: submit@bugs.debian.org

Package: modconf
Version: 0.2.35
Severity: grave
Justification: user security hole
File: /usr/sbin/modconf
Tags: security patch

There are various flaws in the temporary file handling by modconf(8)

- the test in modules/param for tempfile(1) looks in the wrong directory
- while tempfile is used to get a safe temporary file, various other
  temporary filenames are constructed by appending .1, .2 etc to this
  name, without ensuring that these new names don't already exist
- temporary files are removed and recreated during use of modconf,
  without generating new filenames or ensuring that no other file is
  created with that name in the meantime 

These create a security hole, where a malicious local user could perform
symlink attacks and/or gain access to modconf's temporary files; which
could clearly be a security hazard.

The following patch should address these problems:

diff -pru modconf-0.2.35/modconf modconf-0.2.35-cph/modconf
--- modconf-0.2.35/modconf	Tue Mar  6 03:20:08 2001
+++ modconf-0.2.35-cph/modconf	Sat Oct 27 13:51:24 2001
@@ -158,6 +158,8 @@ fi
 . $libdir/util
 . $libdir/dialog
 
+trap "rm -f $TempFile $TempFile1 $TempFile2 $TempFile3 $TempFile4" 0
+
 # default if not set from cmdline
 ModuleHelpDir=${ModuleHelpDir:-$Target/usr/share/modconf}
 
@@ -212,7 +214,5 @@ fi
 for i in $Load_After; do
   get_and_insmod $i
 done
-
-rm -f $TempFile $TempFile.1 $TempFile.2 $TempFile.3 $TempFile.4
 
 exit 0
diff -pru modconf-0.2.35/modules/params modconf-0.2.35-cph/modules/params
--- modconf-0.2.35/modules/params	Tue Feb  8 06:53:58 2000
+++ modconf-0.2.35-cph/modules/params	Sat Oct 27 13:06:18 2001
@@ -25,10 +25,18 @@ else 
     readonly sed="sed"
 fi
 
-if [ -x /usr/bin/tempfile ]; then
+if [ -x /bin/tempfile -o -x /usr/bin/tempfile ]; then
     readonly TempFile=`tempfile`
+    readonly TempFile1=`tempfile`
+    readonly TempFile2=`tempfile`
+    readonly TempFile3=`tempfile`
+    readonly TempFile4=`tempfile`
 else 
     readonly TempFile="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$"
+    readonly TempFile1="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.1"
+    readonly TempFile2="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.2"
+    readonly TempFile3="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.3"
+    readonly TempFile4="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.4"
 fi
 
 KernelVersion=$(uname -r)
diff -pru modconf-0.2.35/modules/util modconf-0.2.35-cph/modules/util
--- modconf-0.2.35/modules/util	Sat Oct 20 07:02:25 2001
+++ modconf-0.2.35-cph/modules/util	Sat Oct 27 13:07:27 2001
@@ -157,16 +157,16 @@ module_directory_menu () {
 
     build_lists
 
-    echo 'menu "$text" "$title" \' > $TempFile.1
-    echo '"$msg_Exit" "   $msg_Finished_these" \' >> $TempFile.1
-    echo '" " " " \' >> $TempFile.1
+    echo 'menu "$text" "$title" \' > $TempFile1
+    echo '"$msg_Exit" "   $msg_Finished_these" \' >> $TempFile1
+    echo '" " " " \' >> $TempFile1
     
     infoBox "$msg_Please_wait_l" "$msg_Please_wait"
 
-    build_module_directory_menu $directory >> $TempFile.1
+    build_module_directory_menu $directory >> $TempFile1
 
     local result
-    result="$(. $TempFile.1)"
+    result="$(. $TempFile1)"
     if [ $? -ne 0 ]; then return 1; fi
 
     case "$result" in
@@ -193,7 +193,6 @@ module_directory_menu () {
         edit_module "$result"
         ;;
     esac
-    rm -f $TempFile.1
   done
 }
 
@@ -248,24 +247,24 @@ edit_arguments () {
   local old_arguments="$(parse_arguments $module)"
 
   local arguments
-  module_args $module >$TempFile.3
+  module_args $module >$TempFile3
   local status=$?
   if [ $status -eq 2 ]; then
-    echo -n "msgBox \"" >$TempFile.2
-    cat $TempFile.3 >>$TempFile.2
-    echo "\" \"Module info\"">>$TempFile.2
-    arguments="`. $TempFile.2`"
+    echo -n "msgBox \"" >$TempFile2
+    cat $TempFile3 >>$TempFile2
+    echo "\" \"Module info\"">>$TempFile2
+    arguments="`. $TempFile2`"
     return 0
   fi
   if [ $status -ne 3 ]; then
-    echo -n "inputBox \"" >$TempFile.2
-    cat $TempFile.3 >>$TempFile.2 
-    echo "">>$TempFile.2
-    echo "$msg_enter_arguments_l\" \\" >>$TempFile.2
-    echo "\"$msg_enter_arguments\" \\" >>$TempFile.2
-    echo "\"$old_arguments\"" >>$TempFile.2
+    echo -n "inputBox \"" >$TempFile2
+    cat $TempFile3 >>$TempFile2 
+    echo "">>$TempFile2
+    echo "$msg_enter_arguments_l\" \\" >>$TempFile2
+    echo "\"$msg_enter_arguments\" \\" >>$TempFile2
+    echo "\"$old_arguments\"" >>$TempFile2
 
-    arguments="`. $TempFile.2`"
+    arguments="`. $TempFile2`"
     if [ $? -ne 0 ]; then return 1; fi
   else
     arguments=''
@@ -493,13 +492,12 @@ update_modules_conf () {
           echo $line;
         fi; 
         done; 
-      )   > $TempFile.4
+      )   > $TempFile4
       if [ $modd ]; then
-        cat $TempFile.4 > $i
+        cat $TempFile4 > $i
         modd=""
       fi
     done
-    rm -f $TempFile.4
     if [ -z "$done" -a -n "$arguments" ]; then
       if [ "$machine" = s390 -a "$module" = qeth -o "$machine" = s390 -a "$module" = lcs -o "$machine" = s390 -a "$module" = netiucv -o "$machine" = s390 -a "$module" = ctc ]; then
         echo "$arguments" > $MODUTILSDIR/$module.chandev
@@ -538,13 +536,12 @@ remove_from_modules_conf () {
 	  echo $line;
 	fi; 
 	done; 
-      )   > $TempFile.4
+      )   > $TempFile4
       if [ $modd ]; then
-	cat $TempFile.4 > $i
+	cat $TempFile4 > $i
 	modd=""
       fi
     done
-    rm -f $TempFile.4
   fi
 
   update_modules

I'm not familiar enough with the boot floppies to test whether this
version works with them, but I've tried to test as much as I can on an
installed system (with bash and ash, with and without tempfile
installed).

-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux micro 2.4.12-ac6+preempt-1 #1 Fri Oct 26 23:24:08 BST 2001 i686
Locale: LANG=en_GB, LC_CTYPE=en_GB

Versions of packages modconf depends on:
ii  modutils                      2.4.10-3   Linux module utilities.
ii  whiptail                      0.50.17-7  Displays user-friendly dialog boxe
ii  debianutils    1.15           Miscellaneous utilities specific to Debian.

-- 
Colin Phipps <cph@cph.demon.co.uk>   http://www.cph.demon.co.uk/

---------------------------------------
Received: (at 117283-done) by bugs.debian.org; 12 Sep 2002 06:17:07 +0000
>From dwhedon@kimdon.org Thu Sep 12 01:17:07 2002
Return-path: <dwhedon@kimdon.org>
Received: from 12-233-47-38.client.attbi.com (oink) [12.233.47.38] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17pNHn-0008Cb-00; Thu, 12 Sep 2002 01:17:07 -0500
Received: by oink (Postfix, from userid 1000)
	id 7FB50739E1; Wed, 11 Sep 2002 23:21:43 -0700 (PDT)
Date: Wed, 11 Sep 2002 23:21:43 -0700
From: David Kimdon <dwhedon@debian.org>
To: 117283-done@bugs.debian.org, 136000-done@bugs.debian.org,
	58007-done@bugs.debian.org, 94536-done@bugs.debian.org,
	105648-done@bugs.debian.org, 117474-done@bugs.debian.org
Subject: these modconf bugs are fixed and done
Message-ID: <20020912062143.GA12347@kimdon.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Delivered-To: 117283-done@bugs.debian.org


These bugs are fixed, they have been for some time but have been
marked fixed in NMU until now.

-David
Reply to:
Prev by Date: Bug#117474: marked as done (modconf: man modconf is in some foreign language)
Next by Date: Bug#58007: marked as done (Hisax parameter configuration)
Previous by thread: Bug#117474: marked as done (modconf: man modconf is in some foreign language)
Next by thread: Bug#58007: marked as done (Hisax parameter configuration)
Index(es):
- Date
- Thread