[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion

For this to be complete there needs to be a check for tempfile, that falls
back to the old temp definitions when tempfile doesn't exist on the
system.

But, before we go more deeply into this, I feel compelled to point out the
following:

	1. This is upstream source.

	2. The execution of the "offensive" code need not be done as root.

	3. This code has no effect on the installation or configuration of
	   this package, so violation of security during installation has
	   no contribution from this code.

	4. If this is a "correct" reading of the policy issue, and you
	   think the policy is not clear, please ask that the policy make
	   it clear by requiring this "correct tmp behavior" only during
	   installation, or when the code will be run as root, and not
	   during build processes that are not expected to be run as root.


I have forwarded your patch upstream, and, if Ulrich approves it, I will
certainly apply it to the release I am currently working on, otherwize I
would like to lower the severity to wishlist until the policy group makes
a determination of its importance.

Please note that I am cc'ing debian-policy.

TO THE POLICY GROUP:

Consider this a formal request for clarification of the policy with
respect to "insecure use of tmp". It seems to me this is only a security
issue when it is a security issue ;-) and in this instance I don't see the
code in question as a system security issue.

Can we clarify this with a rationale?

On Sat, 13 Jun 1998, Joel Klecker wrote:

> At 08:32 -0700 1998-06-13, Richard Braakman wrote:
> >Joel Klecker wrote:
> >> Here is a quick patch to fix this bug, I have tested it, and it works fine.
> >
> >It needs a bit more work though.  The script uses both $TEMP and $TEMP.x.
> >Once $TEMP is used, $TEMP.x becomes a predictable name.  The script
> >should use something like $TEMPX for the second, and create that
> >with tempfile as well.
> 
> d'oh, didn't think of that. revised patch follows.
> 
> --- glibcbug.in.orig    Sat Jun 13 07:14:15 1998
> +++ glibcbug.in Sat Jun 13 08:39:28 1998
> @@ -19,7 +19,8 @@ STDIO="@stdio@"
>  PATH=/bin:/usr/bin:/usr/local/bin:$PATH
>  export PATH
> 
> -TEMP=/tmp/glibcbug.$$
> +TEMP=`tempfile -p gbug`
> +TEMPX=`tempfile -p gbugx`
> 
>  BUGADDR=${1-$BUGGLIBC}
>  ENVIRONMENT=`uname -a`
> @@ -28,8 +29,8 @@ ENVIRONMENT=`uname -a`
> 
>  : ${USER=${LOGNAME-`whoami`}}
> 
> -trap 'rm -f $TEMP $TEMP.x; exit 1' 1 2 3 13 15
> -trap 'rm -f $TEMP $TEMP.x' 0
> +trap 'rm -f $TEMP $TEMPX; exit 1' 1 2 3 13 15
> +trap 'rm -f $TEMP $TEMPX' 0
> 
> 
>  # How to read the passwd database.
> @@ -147,11 +148,11 @@ ${ORGANIZATION- $ORGANIZATION_C}
>  EOF
> 
>  chmod u+w $TEMP
> -cp $TEMP $TEMP.x
> +cp $TEMP $TEMPX
> 
>  eval $EDIT $TEMP
> 
> -if cmp -s $TEMP $TEMP.x; then
> +if cmp -s $TEMP $TEMPX; then
>         echo "File not changed, no bug report submitted."
>         exit 1
>  fi
> @@ -244,9 +245,9 @@ sed  -e "
>  /^>Description:/,/^>[A-Za-z-]*:/s;$DESCRIPTION_C;;
>  /^>How-To-Repeat:/,/^>[A-Za-z-]*:/s;$HOW_TO_REPEAT_C;;
>  /^>Fix:/,/^>[A-Za-z-]*:/s;$FIX_C;;
> -" $TEMP > $TEMP.x
> +" $TEMP > $TEMPX
> 
> -if $MAIL_AGENT < $TEMP.x; then
> +if $MAIL_AGENT < $TEMPX; then
>    echo "$COMMAND: problem report sent"
>    xs=0; exit
>  else
> --
> Joel "Espy" Klecker
> Debian GNU/Linux Developer
> <mailto:jk@espy.org>
> <http://web.espy.org/>
> 
> 

Dwarf
--
_-_-_-_-_-   Author of "The Debian Linux User's Guide"  _-_-_-_-_-_-

aka   Dale Scheetz                   Phone:   1 (850) 656-9769
      Flexible Software              11000 McCrackin Road
      e-mail:  dwarf@polaris.net     Tallahassee, FL  32308

_-_-_-_-_-_- If you don't see what you want, just ask _-_-_-_-_-_-_-


--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: