Bug#117283: modconf: Unsafe temp file handling in modconf(8)
Package: modconf
Version: 0.2.35
Severity: grave
Justification: user security hole
File: /usr/sbin/modconf
Tags: security patch
There are various flaws in the temporary file handling by modconf(8)
- the test in modules/param for tempfile(1) looks in the wrong directory
- while tempfile is used to get a safe temporary file, various other
temporary filenames are constructed by appending .1, .2 etc to this
name, without ensuring that these new names don't already exist
- temporary files are removed and recreated during use of modconf,
without generating new filenames or ensuring that no other file is
created with that name in the meantime
These create a security hole, where a malicious local user could perform
symlink attacks and/or gain access to modconf's temporary files; which
could clearly be a security hazard.
The following patch should address these problems:
diff -pru modconf-0.2.35/modconf modconf-0.2.35-cph/modconf
--- modconf-0.2.35/modconf Tue Mar 6 03:20:08 2001
+++ modconf-0.2.35-cph/modconf Sat Oct 27 13:51:24 2001
@@ -158,6 +158,8 @@ fi
. $libdir/util
. $libdir/dialog
+trap "rm -f $TempFile $TempFile1 $TempFile2 $TempFile3 $TempFile4" 0
+
# default if not set from cmdline
ModuleHelpDir=${ModuleHelpDir:-$Target/usr/share/modconf}
@@ -212,7 +214,5 @@ fi
for i in $Load_After; do
get_and_insmod $i
done
-
-rm -f $TempFile $TempFile.1 $TempFile.2 $TempFile.3 $TempFile.4
exit 0
diff -pru modconf-0.2.35/modules/params modconf-0.2.35-cph/modules/params
--- modconf-0.2.35/modules/params Tue Feb 8 06:53:58 2000
+++ modconf-0.2.35-cph/modules/params Sat Oct 27 13:06:18 2001
@@ -25,10 +25,18 @@ else
readonly sed="sed"
fi
-if [ -x /usr/bin/tempfile ]; then
+if [ -x /bin/tempfile -o -x /usr/bin/tempfile ]; then
readonly TempFile=`tempfile`
+ readonly TempFile1=`tempfile`
+ readonly TempFile2=`tempfile`
+ readonly TempFile3=`tempfile`
+ readonly TempFile4=`tempfile`
else
readonly TempFile="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$"
+ readonly TempFile1="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.1"
+ readonly TempFile2="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.2"
+ readonly TempFile3="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.3"
+ readonly TempFile4="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.4"
fi
KernelVersion=$(uname -r)
diff -pru modconf-0.2.35/modules/util modconf-0.2.35-cph/modules/util
--- modconf-0.2.35/modules/util Sat Oct 20 07:02:25 2001
+++ modconf-0.2.35-cph/modules/util Sat Oct 27 13:07:27 2001
@@ -157,16 +157,16 @@ module_directory_menu () {
build_lists
- echo 'menu "$text" "$title" \' > $TempFile.1
- echo '"$msg_Exit" " $msg_Finished_these" \' >> $TempFile.1
- echo '" " " " \' >> $TempFile.1
+ echo 'menu "$text" "$title" \' > $TempFile1
+ echo '"$msg_Exit" " $msg_Finished_these" \' >> $TempFile1
+ echo '" " " " \' >> $TempFile1
infoBox "$msg_Please_wait_l" "$msg_Please_wait"
- build_module_directory_menu $directory >> $TempFile.1
+ build_module_directory_menu $directory >> $TempFile1
local result
- result="$(. $TempFile.1)"
+ result="$(. $TempFile1)"
if [ $? -ne 0 ]; then return 1; fi
case "$result" in
@@ -193,7 +193,6 @@ module_directory_menu () {
edit_module "$result"
;;
esac
- rm -f $TempFile.1
done
}
@@ -248,24 +247,24 @@ edit_arguments () {
local old_arguments="$(parse_arguments $module)"
local arguments
- module_args $module >$TempFile.3
+ module_args $module >$TempFile3
local status=$?
if [ $status -eq 2 ]; then
- echo -n "msgBox \"" >$TempFile.2
- cat $TempFile.3 >>$TempFile.2
- echo "\" \"Module info\"">>$TempFile.2
- arguments="`. $TempFile.2`"
+ echo -n "msgBox \"" >$TempFile2
+ cat $TempFile3 >>$TempFile2
+ echo "\" \"Module info\"">>$TempFile2
+ arguments="`. $TempFile2`"
return 0
fi
if [ $status -ne 3 ]; then
- echo -n "inputBox \"" >$TempFile.2
- cat $TempFile.3 >>$TempFile.2
- echo "">>$TempFile.2
- echo "$msg_enter_arguments_l\" \\" >>$TempFile.2
- echo "\"$msg_enter_arguments\" \\" >>$TempFile.2
- echo "\"$old_arguments\"" >>$TempFile.2
+ echo -n "inputBox \"" >$TempFile2
+ cat $TempFile3 >>$TempFile2
+ echo "">>$TempFile2
+ echo "$msg_enter_arguments_l\" \\" >>$TempFile2
+ echo "\"$msg_enter_arguments\" \\" >>$TempFile2
+ echo "\"$old_arguments\"" >>$TempFile2
- arguments="`. $TempFile.2`"
+ arguments="`. $TempFile2`"
if [ $? -ne 0 ]; then return 1; fi
else
arguments=''
@@ -493,13 +492,12 @@ update_modules_conf () {
echo $line;
fi;
done;
- ) > $TempFile.4
+ ) > $TempFile4
if [ $modd ]; then
- cat $TempFile.4 > $i
+ cat $TempFile4 > $i
modd=""
fi
done
- rm -f $TempFile.4
if [ -z "$done" -a -n "$arguments" ]; then
if [ "$machine" = s390 -a "$module" = qeth -o "$machine" = s390 -a "$module" = lcs -o "$machine" = s390 -a "$module" = netiucv -o "$machine" = s390 -a "$module" = ctc ]; then
echo "$arguments" > $MODUTILSDIR/$module.chandev
@@ -538,13 +536,12 @@ remove_from_modules_conf () {
echo $line;
fi;
done;
- ) > $TempFile.4
+ ) > $TempFile4
if [ $modd ]; then
- cat $TempFile.4 > $i
+ cat $TempFile4 > $i
modd=""
fi
done
- rm -f $TempFile.4
fi
update_modules
I'm not familiar enough with the boot floppies to test whether this
version works with them, but I've tried to test as much as I can on an
installed system (with bash and ash, with and without tempfile
installed).
-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux micro 2.4.12-ac6+preempt-1 #1 Fri Oct 26 23:24:08 BST 2001 i686
Locale: LANG=en_GB, LC_CTYPE=en_GB
Versions of packages modconf depends on:
ii modutils 2.4.10-3 Linux module utilities.
ii whiptail 0.50.17-7 Displays user-friendly dialog boxe
ii debianutils 1.15 Miscellaneous utilities specific to Debian.
--
Colin Phipps <cph@cph.demon.co.uk> http://www.cph.demon.co.uk/
Reply to: