In article <19981201084554.A18101@csl-gmbh.net> you wrote: Sorry. Yes, lrz is not buggy. But "cu" program from uucp-1.06.1 (uucp.1.06.1-16 in rpm) contain this security leak. I use "cu" as my modem terminal. "cu" set umask to zero at self-init. I call "rz" from "cu" by ~+ command. [3:20:45] yuri@killer:yuri$ rpm -qa|grep uucp uucp-1.06.1-16 [3:20:45] yuri@killer:yuri$ cu -l ttyS1 -s 115200 Connected. ~+umask 000 src/uucp*/unix/init.c: /* We always set our file modes to exactly what we want. */ umask (0); Solution is saving old umask before setting it to zero and restore after each fork+exec. And something about "lrz". I think that simple fopen() is not correct. It's dangerous when other side, for example, set file mode to 0600. It's means that _any_ user (if umask is set to world-readable), even if "sz" sending file with user-only-access permission, can read this file while downloading. p.s. ALL programs from this UUCP package set umask to zero. Maybe some of parts of UUCP call another programs from itself. And all of this programs have umask = 0. It's very bad. >On Mon, Nov 30, 1998 at 10:16:21PM +0200, Yuri Kuzmenko wrote: >> lrz (Linux ZMODEM file receiver) from lrzsz package have a security hole >> with file permission. >> >> lrz create file with 0666 mode (world writable) >No, it doesn't. fopen() is not that buggy. >> File mode set to normal (specifed by other side) only after downloading. >correct. >> my umask is 022 >I don't see a code path which doesn't honor your umask, and testing >shows that the files get created with (0666 & ~(umask)). >So what did you do? Can you tell me how to reproduce the behaviour >you have seen? >btw: I really like waking up and finding the name of software packages >i maintain (especially those i only maintain because nobody else did) >on bugtraq. It's going to be a beautiful day. >Next time just sent me an email some time before you send it to bugtraq. >Thank you. >Regards, Uwe -- // Yuri Kuzmenko at home // http://www.cracksoft.kiev.ua
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:27 PDT