diff options
| author | Manoj Srivastava <srivasta@debian.org> | 2008-08-29 17:53:34 -0500 |
|---|---|---|
| committer | Manoj Srivastava <srivasta@debian.org> | 2008-08-29 17:53:34 -0500 |
| commit | 2a8e492657d22f1ee00ea8e3d7a76b900b7bcd18 (patch) | |
| tree | e1c1bb88f9b33ef007e684e89c34d9acda8e7510 | |
| parent | 6ed168ff814db8f9bcaad6f2e218fb2bbacbdb1c (diff) | |
Fix unsafe use of symbolic links in /tmp
If a script uses a temp file which is created in /tmp, then an
attacker can create symlink with the same name in this directory in
order to destroy or rewrite some system or user files. Symlink attack
may also lead not only to the data desctruction but to denial of
service as well. Creating files with rand or pid to randomize the file
names is not adequate to protect the system.
We now use File::Temp to safely create the temporary files as needed.
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
| -rwxr-xr-x | pat/patcil.SH | 14 | ||||
| -rwxr-xr-x | pat/patdiff.SH | 22 |
2 files changed, 22 insertions, 14 deletions
diff --git a/pat/patcil.SH b/pat/patcil.SH index 6e181d3..484673e 100755 --- a/pat/patcil.SH +++ b/pat/patcil.SH @@ -61,6 +61,8 @@ $startperl !GROK!THIS! cat >>patcil <<'!NO!SUBS!' +use File::Temp qw/ tempfile tempdir /; + $progname = &profile; # Read ~/.dist_profile require 'getopts.pl'; &usage unless $#ARGV >= 0; @@ -504,12 +506,12 @@ x Toggle patch# prefix. sub edit { local($text) = join("\n", @_); - open(TMP,">/tmp/cil$$") || die "Can't create /tmp/cil$$"; - print TMP $text; - close TMP; - system $EDITOR, "/tmp/cil$$"; - $text = `cat /tmp/cil$$`; - unlink "/tmp/cil$$"; + my $tmp = File::Temp->new(); + print $tmp $text; + close $tmp; + system $EDITOR, "$tmp"; + $text = `cat "$tmp"`; + unlink "$tmp"; $text; } diff --git a/pat/patdiff.SH b/pat/patdiff.SH index 33ba90c..846b058 100755 --- a/pat/patdiff.SH +++ b/pat/patdiff.SH @@ -49,6 +49,8 @@ $startperl !GROK!THIS! cat >>patdiff <<'!NO!SUBS!' +use File::Temp qw/ tempfile tempdir /; + $RCSEXT = ',v' unless $RCSEXT; $TOPDIR = ''; # We are at top-level directory @@ -159,9 +161,11 @@ foreach $file (@ARGV) { close DIFF; system 'rcs', "-Nlastpat:$new", @files; } else { - ©right'expand("co -p -rlastpat $file", "/tmp/pdo$$"); - ©right'expand("co -p -r$new $file", "/tmp/pdn$$"); - open(DIFF, "$mydiff /tmp/pdo$$ /tmp/pdn$$ |") || + my $tmpo = File::Temp->new(); + my $tmpn = File::Temp->new(); + ©right'expand("co -p -rlastpat $file", "$tmpo"); + ©right'expand("co -p -r$new $file", "$tmpn"); + open(DIFF, "$mydiff $tmpo $tmpn |") || die "Can't run $mydiff"; while (<DIFF>) { # Contextual or unified diff if ($. == 1) { @@ -177,7 +181,7 @@ foreach $file (@ARGV) { } close DIFF; system 'rcs', "-Nlastpat:$new", @files; - unlink "/tmp/pdn$$", "/tmp/pdo$$"; + unlink "$tmpo", "$tmpn"; } } else { if ($mydiff eq '') { @@ -191,9 +195,11 @@ foreach $file (@ARGV) { } close DIFF; } else { - system "co -p -rlastpat $files >/tmp/pdo$$"; - system "cp $file /tmp/pdn$$"; - open(DIFF, "$mydiff /tmp/pdo$$ /tmp/pdn$$ |") || + my $tmpo = File::Temp->new(); + my $tmpn = File::Temp->new(); + system "co -p -rlastpat $files >$tmpo"; + system "cp $file $tmpn"; + open(DIFF, "$mydiff $tmpo $tmpn |") || die "$progname: can't fork $mydiff: $!\n"; while (<DIFF>) { # Contextual or unified diff @@ -209,7 +215,7 @@ foreach $file (@ARGV) { print PATCH; } close DIFF; - unlink "/tmp/pdn$$", "/tmp/pdo$$"; + unlink "$tmpo", "$tmpn"; } } } |