Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20010527050633.A3047@openwall.com>
Date: Sun, 27 May 2001 05:06:33 +0400
From: solar@...nwall.com
To: owl-users@...ts.openwall.com
Subject: Re: gawk (igawk) tempfiles

On Fri, May 25, 2001 at 10:05:53PM +0300, Jarno Huuskonen wrote:

Hi,

> igawk from gawk-3.0.6 uses /tmp/ig.s.$$ for tempfile. I made this

Thanks for the report and the patch.

Just to make it clear, we don't yet claim to have fixed all of the
temporary file handling issues we know of.  We've fixed the worst
ones plus some more, but there're still some in scripts that don't
require privileges greater than those of a regular user to run and
some which are at worst a DoS against the program itself (that is,
the open is done with O_EXCL, but the filename is predictable) and the
program doesn't perform a critical system function.

There're many places in documentation for various packages which
suggest bad practices, fixing all of them is going to take time.

We'd appreciate any help you might provide, especially given that the
fixes will be useful for other distributions as well.

(Of course, we use pam_mktemp, but it only works for programs which
use $TMPDIR or $TMP and isn't an excuse against fixing the individual
vulnerabilities anyway.)

> (not tested) patch so igawk'll use mktemp:
> --------------------
> --- gawk-3.0.6/awklib/eg/prog/igawk.sh	Tue Aug  8 02:03:36 2000
> +++ gawk-3.0.6-jh/awklib/eg/prog/igawk.sh	Fri May 25 18:34:21 2001

This wouldn't work, the igawk.sh is re-generated from pieces given as
examples in gawk.texi (which would need to be patched anyway).

Anyway, I've fixed this for Owl-current.

* Sun May 27 2001 Solar Designer <solar@....openwall.com>
- Patched unsafe temporary file handling in igawk, based on report and
patch from Jarno Huuskonen.
- Make sure gawk.info and igawk.sh are re-generated from gawk.texi on
package builds.

> Also some scripts from gzip (zdiff, znew) use similar tempfiles. 
> ( At least Michal Zalewski has found the same problems a while ago:
> http://security-archive.merton.ox.ac.uk/linux-security-199803/0031.html )

Thanks.  I've updated my list.

-- 
/sd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.