[8661] in bugtraq
Re: RedHat 5.2 lrzsz-0.12.14-5 have serious security hole
daemon@ATHENA.MIT.EDU (Yuri Kuzmenko)
Wed Dec 2 00:31:41 1998
Apparently-To: bugtraq@netspace.org
Date: Tue, 1 Dec 1998 21:15:34 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Yuri Kuzmenko <yuri@KILLER.CRACKSOFT.KIEV.UA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19981201084554.A18101@csl-gmbh.net>
In article <19981201084554.A18101@csl-gmbh.net> you wrote:
Sorry. Yes, lrz is not buggy.
But "cu" program from uucp-1.06.1 (uucp.1.06.1-16 in rpm) contain this
security leak. I use "cu" as my modem terminal. "cu" set umask to zero at
self-init. I call "rz" from "cu" by ~+ command.
[3:20:45] yuri@killer:yuri$ rpm -qa|grep uucp
uucp-1.06.1-16
[3:20:45] yuri@killer:yuri$ cu -l ttyS1 -s 115200
Connected.
~+umask
000
src/uucp*/unix/init.c:
/* We always set our file modes to exactly what we want. */
umask (0);
Solution is saving old umask before setting it to zero and restore after each
fork+exec.
And something about "lrz". I think that simple fopen() is not correct.
It's dangerous when other side, for example, set file mode to 0600. It's means
that _any_ user (if umask is set to world-readable), even if "sz" sending file
with user-only-access permission, can read this file while downloading.
p.s. ALL programs from this UUCP package set umask to zero. Maybe some of
parts of UUCP call another programs from itself. And all of this programs have
umask = 0. It's very bad.
>On Mon, Nov 30, 1998 at 10:16:21PM +0200, Yuri Kuzmenko wrote:
>> lrz (Linux ZMODEM file receiver) from lrzsz package have a security hole
>> with file permission.
>>
>> lrz create file with 0666 mode (world writable)
>No, it doesn't. fopen() is not that buggy.
>> File mode set to normal (specifed by other side) only after downloading.
>correct.
>> my umask is 022
>I don't see a code path which doesn't honor your umask, and testing
>shows that the files get created with (0666 & ~(umask)).
>So what did you do? Can you tell me how to reproduce the behaviour
>you have seen?
>btw: I really like waking up and finding the name of software packages
>i maintain (especially those i only maintain because nobody else did)
>on bugtraq. It's going to be a beautiful day.
>Next time just sent me an email some time before you send it to bugtraq.
>Thank you.
>Regards, Uwe
--
// Yuri Kuzmenko at home
// http://www.cracksoft.kiev.ua