[17498] in bugtraq
Re: tcsh: unsafe tempfile in << redirects
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Mon Nov 6 00:51:17 2000
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e"
Content-Disposition: inline
Message-Id: <20001104142735.A8897@citusc17.usc.edu>
Date: Sat, 4 Nov 2000 14:27:35 -0800
Reply-To: Kris Kennaway <kris@FREEBSD.ORG>
From: Kris Kennaway <kris@FREEBSD.ORG>
X-To: proton <proton@ENERGYMECH.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39FBAAF7.D4F258A4@energymech.net>; from proton@ENERGYMECH.NET on
Sun, Oct 29, 2000 at 04:43:35AM +0000
--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Oct 29, 2000 at 04:43:35AM +0000, proton wrote:
> VULNERABLE VERSIONS:
>=20
> 6.07.02 (Astron) 1996-10-27
> 6.08.00 (Astron) 1998-10-02
> 6.09.00 (Astron) 1999-08-16 (latest)
This was fixed in the tcsh CVS repo with the following patch. I would
have just used mkstemp() myself, but it seems okay.
Kris
Index: sh.dol.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/contrib/tcsh/sh.dol.c,v
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3.2.1 sh.dol.c
--- sh.dol.c 2000/06/10 22:25:57 1.1.1.3.2.1
+++ sh.dol.c 2000/11/04 22:23:29
@@ -1,4 +1,4 @@
-/* $Header: /src/pub/tcsh/sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $ */
+/* $Header: /src/pub/tcsh/sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp=
$ */
/*
* sh.dol.c: Variable substitutions
*/
@@ -36,7 +36,7 @@
*/
#include "sh.h"
=20
-RCSID("$Id: sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $")
+RCSID("$Id: sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $")
=20
/*
* C shell
@@ -1017,7 +1017,7 @@
heredoc(term)
Char *term;
{
- register int c;
+ int c;
Char *Dv[2];
Char obuf[BUFSIZE], lbuf[BUFSIZE], mbuf[BUFSIZE];
int ocnt, lcnt, mcnt;
@@ -1025,7 +1025,9 @@
Char **vp;
bool quoted;
char *tmp;
+ struct timeval tv;
=20
+again:
tmp =3D short2str(shtemp);
#ifndef O_CREAT
# define O_CREAT 0
@@ -1036,12 +1038,22 @@
#ifndef O_TEMPORARY
# define O_TEMPORARY 0
#endif
- if (open(tmp, O_RDWR|O_CREAT|O_TEMPORARY) < 0) {
- int oerrno =3D errno;
-
+#ifndef O_EXCL
+# define O_EXCL 0
+#endif
+ if (open(tmp, O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY) =3D=3D -1) {
+ int oerrno =3D errno;
+ if (errno =3D=3D EEXIST) {
+ if (unlink(tmp) =3D=3D -1) {
+ (void) gettimeofday(&tv, NULL);
+ shtemp =3D Strspl(STRtmpsh, putn((((int)tv.tv_sec) ^=20
+ ((int)tv.tv_usec) ^ ((int)doldol)) & 0x00ffffff));
+ }
+ goto again;
+ }
(void) unlink(tmp);
errno =3D oerrno;
- stderror(ERR_SYSTEM, tmp, strerror(errno));
+ stderror(ERR_SYSTEM, tmp, strerror(errno));
}
(void) unlink(tmp); /* 0 0 inode! */
Dv[0] =3D term;
--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjoEjVYACgkQWry0BWjoQKUsJACfUC4/ef/F+dav06LiwDab49ZQ
NPEAoMf74NWxtdnCHeMEiE59pqK9gwmj
=+lwN
-----END PGP SIGNATURE-----
--cNdxnHkX5QqsyA0e--