-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ######################################################### shtool insecure temporary file creation Vendor: http://www.gnu.org/software/shtool/ Advisory: http://www.zataz.net/adviso/shtool-05252005.txt Vendor informed: no more vendor Exploit available: yes Impact : low Exploitation : low ######################################################### shtool contain a security flaw wich could allow a malicious local user to create or overwrite content off arbitrary files with the right off the user how use shtool. The vulnerability is a race condition. A lot off products use shtool, for exemple : - - ocan-mysql - - SellaNMS - - ipcmp - - OOPSE - - OpenLDAP - - PHP - - OpenPKG - - others .... ########## Versions: ########## shtool <= 2.0.1 ########## Solution: ########## As I know only Gentoo has provide an update to shtool. Use mktemp, umask and chmod to create secure temporary file ######### Timeline: ######### Discovered : 2005-05-25 Vendor notified : 2005-05-25 Vendor response : no more vendor Vendor fix : no vendor fix Disclosure : 2005-05-25 ##################### Technical details : ##################### Vulnerable code : - ----------------- 572 # establish a temporary file on request 573 if [ ".$gen_tmpfile" = .yes ]; then 574 if [ ".$TMPDIR" != . ]; then 575 tmpdir="$TMPDIR" 576 elif [ ".$TEMPDIR" != . ]; then 577 tmpdir="$TEMPDIR" 578 else 579 tmpdir="/tmp" 580 fi 581 tmpfile="$tmpdir/.shtool.$$" 582 rm -f $tmpfile >/dev/null 2>&1 583 touch $tmpfile 584 chmod 600 $tmpfile 585 fi 597 # cleanup procedure 598 shtool_exit () { 599 rc="$1" 600 if [ ".$gen_tmpfile" = .yes ]; then 601 rm -f $tmpfile >/dev/null 2>&1 || true 602 fi 603 exit $rc 604 } The gen_tmpfile is used for tarball, subst, scpp ant path actions. ######### Related : ######### Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93782 ##################### Credits : ##################### Eric Romang (eromang@private - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFClLmIXXuxWE8lDAcRAjXNAJ4tDchC7D3T7dQ/cY4mZ2hb3VYlIwCdHNAc YCtVQmrCHRBu3l5topwCi28= =dghw -----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 11:32:56 PDT