Your message dated Wed, 11 Sep 2002 23:21:43 -0700
with message-id <[EMAIL PROTECTED]>
and subject line these modconf bugs are fixed and done
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Oct 2001 13:25:02 +0000
>From [EMAIL PROTECTED] Sat Oct 27 08:25:02 2001
Return-path: <[EMAIL PROTECTED]>
Received: from anchor-post-34.mail.demon.net [194.217.242.92]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 15xTSQ-00032R-00; Sat, 27 Oct 2001 08:25:02 -0500
Received: from cph.demon.co.uk ([158.152.107.46] helo=micro.no28.org.uk)
by anchor-post-34.mail.demon.net with esmtp (Exim 2.12 #1)
id 15xTSK-000KzA-0Y
for [EMAIL PROTECTED]; Sat, 27 Oct 2001 14:24:57 +0100
Received: by micro.no28.org.uk (Postfix, from userid 1000)
id 8B907864; Sat, 27 Oct 2001 14:27:36 +0100 (BST)
Date: Sat, 27 Oct 2001 14:27:36 +0100
From: Colin Phipps <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: modconf: Unsafe temp file handling in modconf(8)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.23i
X-Reportbug-Version: 1.31
Delivered-To: [EMAIL PROTECTED]
Package: modconf
Version: 0.2.35
Severity: grave
Justification: user security hole
File: /usr/sbin/modconf
Tags: security patch
There are various flaws in the temporary file handling by modconf(8)
- the test in modules/param for tempfile(1) looks in the wrong directory
- while tempfile is used to get a safe temporary file, various other
temporary filenames are constructed by appending .1, .2 etc to this
name, without ensuring that these new names don't already exist
- temporary files are removed and recreated during use of modconf,
without generating new filenames or ensuring that no other file is
created with that name in the meantime
These create a security hole, where a malicious local user could perform
symlink attacks and/or gain access to modconf's temporary files; which
could clearly be a security hazard.
The following patch should address these problems:
diff -pru modconf-0.2.35/modconf modconf-0.2.35-cph/modconf
--- modconf-0.2.35/modconf Tue Mar 6 03:20:08 2001
+++ modconf-0.2.35-cph/modconf Sat Oct 27 13:51:24 2001
@@ -158,6 +158,8 @@ fi
. $libdir/util
. $libdir/dialog
+trap "rm -f $TempFile $TempFile1 $TempFile2 $TempFile3 $TempFile4" 0
+
# default if not set from cmdline
ModuleHelpDir=${ModuleHelpDir:-$Target/usr/share/modconf}
@@ -212,7 +214,5 @@ fi
for i in $Load_After; do
get_and_insmod $i
done
-
-rm -f $TempFile $TempFile.1 $TempFile.2 $TempFile.3 $TempFile.4
exit 0
diff -pru modconf-0.2.35/modules/params modconf-0.2.35-cph/modules/params
--- modconf-0.2.35/modules/params Tue Feb 8 06:53:58 2000
+++ modconf-0.2.35-cph/modules/params Sat Oct 27 13:06:18 2001
@@ -25,10 +25,18 @@ else
readonly sed="sed"
fi
-if [ -x /usr/bin/tempfile ]; then
+if [ -x /bin/tempfile -o -x /usr/bin/tempfile ]; then
readonly TempFile=`tempfile`
+ readonly TempFile1=`tempfile`
+ readonly TempFile2=`tempfile`
+ readonly TempFile3=`tempfile`
+ readonly TempFile4=`tempfile`
else
readonly TempFile="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$"
+ readonly TempFile1="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.1"
+ readonly TempFile2="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.2"
+ readonly TempFile3="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.3"
+ readonly TempFile4="/tmp/`echo $0|$sed -e 's/^.*\///'`.$$.4"
fi
KernelVersion=$(uname -r)
diff -pru modconf-0.2.35/modules/util modconf-0.2.35-cph/modules/util
--- modconf-0.2.35/modules/util Sat Oct 20 07:02:25 2001
+++ modconf-0.2.35-cph/modules/util Sat Oct 27 13:07:27 2001
@@ -157,16 +157,16 @@ module_directory_menu () {
build_lists
- echo 'menu "$text" "$title" \' > $TempFile.1
- echo '"$msg_Exit" " $msg_Finished_these" \' >> $TempFile.1
- echo '" " " " \' >> $TempFile.1
+ echo 'menu "$text" "$title" \' > $TempFile1
+ echo '"$msg_Exit" " $msg_Finished_these" \' >> $TempFile1
+ echo '" " " " \' >> $TempFile1
infoBox "$msg_Please_wait_l" "$msg_Please_wait"
- build_module_directory_menu $directory >> $TempFile.1
+ build_module_directory_menu $directory >> $TempFile1
local result
- result="$(. $TempFile.1)"
+ result="$(. $TempFile1)"
if [ $? -ne 0 ]; then return 1; fi
case "$result" in
@@ -193,7 +193,6 @@ module_directory_menu () {
edit_module "$result"
;;
esac
- rm -f $TempFile.1
done
}
@@ -248,24 +247,24 @@ edit_arguments () {
local old_arguments="$(parse_arguments $module)"
local arguments
- module_args $module >$TempFile.3
+ module_args $module >$TempFile3
local status=$?
if [ $status -eq 2 ]; then
- echo -n "msgBox \"" >$TempFile.2
- cat $TempFile.3 >>$TempFile.2
- echo "\" \"Module info\"">>$TempFile.2
- arguments="`. $TempFile.2`"
+ echo -n "msgBox \"" >$TempFile2
+ cat $TempFile3 >>$TempFile2
+ echo "\" \"Module info\"">>$TempFile2
+ arguments="`. $TempFile2`"
return 0
fi
if [ $status -ne 3 ]; then
- echo -n "inputBox \"" >$TempFile.2
- cat $TempFile.3 >>$TempFile.2
- echo "">>$TempFile.2
- echo "$msg_enter_arguments_l\" \\" >>$TempFile.2
- echo "\"$msg_enter_arguments\" \\" >>$TempFile.2
- echo "\"$old_arguments\"" >>$TempFile.2
+ echo -n "inputBox \"" >$TempFile2
+ cat $TempFile3 >>$TempFile2
+ echo "">>$TempFile2
+ echo "$msg_enter_arguments_l\" \\" >>$TempFile2
+ echo "\"$msg_enter_arguments\" \\" >>$TempFile2
+ echo "\"$old_arguments\"" >>$TempFile2
- arguments="`. $TempFile.2`"
+ arguments="`. $TempFile2`"
if [ $? -ne 0 ]; then return 1; fi
else
arguments=''
@@ -493,13 +492,12 @@ update_modules_conf () {
echo $line;
fi;
done;
- ) > $TempFile.4
+ ) > $TempFile4
if [ $modd ]; then
- cat $TempFile.4 > $i
+ cat $TempFile4 > $i
modd=""
fi
done
- rm -f $TempFile.4
if [ -z "$done" -a -n "$arguments" ]; then
if [ "$machine" = s390 -a "$module" = qeth -o "$machine" = s390 -a "$module" =
lcs -o "$machine" = s390 -a "$module" = netiucv -o "$machine" = s390 -a "$module" =
ctc ]; then
echo "$arguments" > $MODUTILSDIR/$module.chandev
@@ -538,13 +536,12 @@ remove_from_modules_conf () {
echo $line;
fi;
done;
- ) > $TempFile.4
+ ) > $TempFile4
if [ $modd ]; then
- cat $TempFile.4 > $i
+ cat $TempFile4 > $i
modd=""
fi
done
- rm -f $TempFile.4
fi
update_modules
I'm not familiar enough with the boot floppies to test whether this
version works with them, but I've tried to test as much as I can on an
installed system (with bash and ash, with and without tempfile
installed).
-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux micro 2.4.12-ac6+preempt-1 #1 Fri Oct 26 23:24:08 BST 2001 i686
Locale: LANG=en_GB, LC_CTYPE=en_GB
Versions of packages modconf depends on:
ii modutils 2.4.10-3 Linux module utilities.
ii whiptail 0.50.17-7 Displays user-friendly dialog boxe
ii debianutils 1.15 Miscellaneous utilities specific to Debian.
--
Colin Phipps <[EMAIL PROTECTED]> http://www.cph.demon.co.uk/
---------------------------------------
Received: (at 117283-done) by bugs.debian.org; 12 Sep 2002 06:17:07 +0000
>From [EMAIL PROTECTED] Thu Sep 12 01:17:07 2002
Return-path: <[EMAIL PROTECTED]>
Received: from 12-233-47-38.client.attbi.com (oink) [12.233.47.38]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17pNHn-0008Cb-00; Thu, 12 Sep 2002 01:17:07 -0500
Received: by oink (Postfix, from userid 1000)
id 7FB50739E1; Wed, 11 Sep 2002 23:21:43 -0700 (PDT)
Date: Wed, 11 Sep 2002 23:21:43 -0700
From: David Kimdon <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: these modconf bugs are fixed and done
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Delivered-To: [EMAIL PROTECTED]
These bugs are fixed, they have been for some time but have been
marked fixed in NMU until now.
-David
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
