[18340] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Paul Szabo)
Sun Dec 24 19:10:01 2000
Message-ID: <200012222017.HAA21452@milan.maths.usyd.edu.au>
Date: Sat, 23 Dec 2000 07:17:26 +1100
Reply-To: Paul Szabo <psz@MATHS.USYD.EDU.AU>
From: Paul Szabo <psz@MATHS.USYD.EDU.AU>
X-To: Darren.Moffat@eng.sun.com
To: BUGTRAQ@SECURITYFOCUS.COM
Darren Moffat <Darren.Moffat@ENG.SUN.COM> wrote:
> Since patchadd is a script the bug it pretty easy to fix...
> So here is a set of diffs to patchadd for those that really can't wait.
> [ replaces /tmp by a safe ${WORKDIR} ]
Wow! That was quick.
However you seem to have missed the "cat << EOF" constructs, which I
believe were the subject of the original report:
> Jonathan Fortin <jfortin@REVELEX.COM> wrote:
>> When patchadd is executed, It creates a temporary file called
>> "/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
>> "/tmp/sh<pidofpatchadd>.3 and assigns them mode 666 ...
That is a bug in the ksh you are using: do not use "here documents" until
you fix the ksh. Need to check/fix all rootly ksh and sh scripts.
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
