Re: many scripts fail if /tmp/tempfile.$$ exists - local DOS vulnerability

2003-09-06 Thread Richard Kettlewell 
Jakob Lell [EMAIL PROTECTED] writes:
 many shell scripts use tempfiles like /tmp/tempfile.$$. This creates
 insecure tempfile vulnerabilities. One commonly used fix for this problem
 is to use set -e or/and set -C in the shell script. This makes the whole
 script fail if one command fails or pipes anything to an existing file
 (e.g. if the tempfile already exists).

'set -C' only detects already-existing regular files, it does not
prevent you writing your important data to (say) a named pipe with the
right name.

-- 
http://www.greenend.org.uk/rjk/

Re: many scripts fail if /tmp/tempfile.$$ exists - local DOS vulnerability

2003-09-05 Thread Andreas Metzler 
Santiago Vila [EMAIL PROTECTED] wrote:
 Jakob Lell wrote:
 many shell scripts use tempfiles like /tmp/tempfile.$$. This creates
 insecure tempfile vulnerabilities. One commonly used fix for this problem
 is to use set -e or/and set -C in the shell script. [...]

 Debian already has a general fix for that. It's called tempfile and
 it's in package debianutils, which is essential.
[...]

There is also mktemp(1) which is able to generate tempory files _and_
directories. Has by chance anybody checked the respective source-codes
and could tell us whether mktemp(1) or tempfile(1) should be prefered
for generating tempory /files/?

Another question: tempfile(1) says:
| Debian packages using tempfile in maintainer scripts must depend on
| debianutils = 1.6.

tempfile 1.6 was released april 1997, i.e. it was probably included in
Bo, or it for sure in Hamm. Shouldn't this sentence be removed, we
don't support upgrades from Bo or Hamm to potato anyway.
  
 cu andreas
-- 
Hey, da ist ein Ballonautomat auf der Toilette!
Unofficial _Debian-packages_ of latest unstable _tin_
http://www.logic.univie.ac.at/~ametzler/debian/tin-snapshot/

Re: many scripts fail if /tmp/tempfile.$$ exists - local DOS vulnerability

2003-09-05 Thread Santiago Vila 
On Fri, 5 Sep 2003, Andreas Metzler wrote:

 Another question: tempfile(1) says:
 | Debian packages using tempfile in maintainer scripts must depend on
 | debianutils = 1.6.

 tempfile 1.6 was released april 1997, i.e. it was probably included in
 Bo, or it for sure in Hamm. Shouldn't this sentence be removed, we
 don't support upgrades from Bo or Hamm to potato anyway.

What we support or we don't support regarding upgrades is not very
clear yet. It changes from developer to developer.

I believe supporting upgrades which skip one release (for example,
from oldstable to testing) should be a must, but unfortunately this is
not written anywhere.

Re: many scripts fail if /tmp/tempfile.$$ exists - local DOS vulnerability

2003-09-05 Thread Andrew Suffield 
On Fri, Sep 05, 2003 at 12:23:13PM +0200, Santiago Vila wrote:
 I believe supporting upgrades which skip one release (for example,
 from oldstable to testing) should be a must, but unfortunately this is
 not written anywhere.

Not to mention that it hasn't really worked for several releases now.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'  |
   `- --  |


pgp3vVhGh80V2.pgp
Description: PGP signature

many scripts fail if /tmp/tempfile.$$ exists - local DOS vulnerability

2003-09-04 Thread Jakob Lell 
Hello,
many shell scripts use tempfiles like /tmp/tempfile.$$. This creates
insecure tempfile vulnerabilities. One commonly used fix for this problem
is to use set -e or/and set -C in the shell script. This makes the whole
script fail if one command fails or pipes anything to an existing file
(e.g. if the tempfile already exists). So this can often solve a insecure
tempfile creation. However, the script then fails if the file
/tmp/tempfile.$$ exists. As any user can create this files with wrong PIDs
and thus prevent other users from using the vulnerable program, this is a
local DOS vulnerability. The same problem occurs if the script uses
something like mkdir tmp$$  cd tmp$$ || exit (from /usr/bin/allec,
package tetex-bin 1.0.7+20011202-7.1) to exit if the file/directory
exists. For this reason it is IMO always a bad idea to use tempfiles or
directories like /tmp/tempfile.$$. You can use mktemp to get a tempfile or
mktemp -d to get a temporary directory securely.

Is it a good idea to report bugs against all packages containing this
local DOS vulnerability? Should this be reported to the security team?

Re: many scripts fail if /tmp/tempfile.$$ exists - local DOS vulnerability

2003-09-04 Thread Santiago Vila 
Jakob Lell wrote:

 many shell scripts use tempfiles like /tmp/tempfile.$$. This creates
 insecure tempfile vulnerabilities. One commonly used fix for this problem
 is to use set -e or/and set -C in the shell script. [...]

Debian already has a general fix for that. It's called tempfile and
it's in package debianutils, which is essential.

 [...]
 Is it a good idea to report bugs against all packages containing this
 local DOS vulnerability?

Yes, but please follow our common guidelines for reporting bugs.
If you plan to submit many of them, ask here before you start.

Re: many scripts fail if /tmp/tempfile.$$ exists - local DOS vulnerability

2003-09-04 Thread Keegan Quinn 
On Fri, Sep 05, 2003 at 12:50:01AM +0200, Santiago Vila wrote:
 Jakob Lell wrote:
  [...]
  Is it a good idea to report bugs against all packages containing this
  local DOS vulnerability?
 
 Yes, but please follow our common guidelines for reporting bugs.
 If you plan to submit many of them, ask here before you start.

Isn't that exactly what he did, in the message you just replied to?

I, for one, think it sounds like a good idea.

 - Keegan


pgp4A7StvkRHr.pgp
Description: PGP signature