Bug#302412: exploitable temporary file race in unshar (fwd)

[Santiago Vila]

Hello.

I received this from the Debian bug system:

I see that there is a 4.3.78 release in ftp.gnu.org, but as it's in
a separate directory, I assume it is not considered stable yet.

---------- Forwarded message ----------
From: Joey Hess <address@hidden>
To: Debian Bug Tracking System <address@hidden>
Date: Thu, 31 Mar 2005 06:51:57 -1000
Subject: Bug#302412: exploitable temporary file race in unshar

Package: sharutils
Version: 1:4.2.1-11
Severity: grave
Tags: security

In unshar.c:

      sprintf (name_buffer, "/tmp/unsh.%05d", (int) getpid ());
      unlink (name_buffer);

      if (file = fopen (name_buffer, "w+"), !file)

The unlink makes it difficult, but surely not impossible to race unshar,
when it is run on stdin, and cause it to fopen a symlink that points at
an arbitrary file, which will then be replaced with the contents of the
shell archive.

A few other unsafe (but not IMHO really serious) uses of /tmp in sharutils
include:

- This example in shar(1):

              find . -type f -print | sort | shar -S -Z -L50 -o /tmp/big

- This example in the info file:

          find . -type f -print | shar -S -o /tmp/big.shar

- This example in README.OLD:

e.g., find . -type f -print | sort | shar -C -l50 -o /tmp/big

- This in contrib/shar.sh:

        echo 'temp=/tmp/shar$$; dtemp=/tmp/.shar$$'
        echo 'trap "rm -f $temp $dtemp; exit" 0 1 2 3 15'
        echo 'cat > $temp <<\!!!'
...
        echo "wc $contents | sed 's=[^ ]*/==' | "'diff -b $temp - >$dtemp'

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages sharutils depends on:
ii  debianutils                 2.13.2       Miscellaneous utilities specific t
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information

-- 
see shy jo