[18233] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Dan Harkless)
Wed Dec 20 17:20:59 2000
Message-Id: <200012200155.RAA17438@dilvish.speed.net>
Date: Tue, 19 Dec 2000 17:55:48 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Paul Szabo <psz@MATHS.USYD.EDU.AU> of "Tue, 19 Dec
2000 19:00:20 +1100."
<200012190800.TAA05385@milan.maths.usyd.edu.au>
Paul Szabo <psz@MATHS.USYD.EDU.AU> writes:
> Jonathan Fortin <jfortin@REVELEX.COM> wrote:
>
> > When patchadd is executed, It creates a temporary file called
> > "/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
> > "/tmp/sh<pidofpatchadd>.3 and assigns them mode 666 ...
>
> I guess that patchadd is a "sh" script using the "<<" construct, this
> being an instance of the bug I reported recently:
>
> http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716@milan.maths.usyd.edu.au
>
> This is essentially the same as the tcsh bug fixed recently in other OSs.
Speaking of which, I wonder if Sun has any plans to upgrade the tcsh 6.09.00
they provide with Solaris 8 to fix the << vulnerability. Based on a grep of
the Dec 17 Solaris8.PatchReport, they still haven't gotten with the program
and fixed tcsh like the other vendors did some time ago.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
