--Kynn+LdAwU9N+JqL Content-Type: text/plain; charset=us-ascii Richard Kettlewell <rjkat_private> has reported a security problem with trn. Trn comes with a newsgroups shell script that uses a hardcoded filename in /tmp as temporary storage. As you all know, this could be exploited to overwrite arbitrary files. If the file already exists as symbolic link to users files they will be overwritten. This was not intentional by the author, he tried to use tempfile(1) to create the temporary filename. However, due to a thinko, the name was hardcoded into the script. I propose this patch against version 3.6. diff -u -Nur --exclude CVS orig/trn-3.6/newsgroups.SH trn-3.6/newsgroups.SH --- orig/trn-3.6/newsgroups.SH Thu Aug 19 12:05:40 1999 +++ trn-3.6/newsgroups.SH Thu Aug 19 12:04:59 1999 @@ -33,7 +33,7 @@ #NORMAL~*) active=\`$filexp \$active\` ;; #NORMALesac #NNTP -#NNTPactive=`tempfile -p active` #"/tmp/active.\$\$" +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$" #NNTPrnlib=$privlib #NNTPcase \$rnlib in #NNTP~*) rnlib=\`$filexp \$rnlib\` ;; Regards, Joey -- Debian GNU/Linux . Security Managers . securityat_private debian-security-announceat_private Christian Hudon . Wichert Akkerman . Martin Schulze <chrishat_private> . <wakkermaat_private> . <joeyat_private> --Kynn+LdAwU9N+JqL Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBN7xeFxRNm5Suj3z1AQGJ7AQAjhuZEKJgJ6II/gTnD09HI8FXyCIwMz3E oxfQ77qSYl20vQzPvNNiv8QXjdvTATLnyj6QCdvtYI3DX3kEDuci90DoR8kvhPT9 H05sXsL84IxffAn6T+pGZ0cxjzy7Qd1AO2NYVSLQrOmES2DgDKKSD3YafjwxfpUG PpiiJyBuzIM= =03W+ -----END PGP SIGNATURE----- --Kynn+LdAwU9N+JqL--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:36 PDT