From 2a8e492657d22f1ee00ea8e3d7a76b900b7bcd18 Mon Sep 17 00:00:00 2001 From: Manoj Srivastava Date: Fri, 29 Aug 2008 17:53:34 -0500 Subject: Fix unsafe use of symbolic links in /tmp If a script uses a temp file which is created in /tmp, then an attacker can create symlink with the same name in this directory in order to destroy or rewrite some system or user files. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Creating files with rand or pid to randomize the file names is not adequate to protect the system. We now use File::Temp to safely create the temporary files as needed. Signed-off-by: Manoj Srivastava --- pat/patcil.SH | 14 ++++++++------ pat/patdiff.SH | 22 ++++++++++++++-------- 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/pat/patcil.SH b/pat/patcil.SH index 6e181d3..484673e 100755 --- a/pat/patcil.SH +++ b/pat/patcil.SH @@ -61,6 +61,8 @@ $startperl !GROK!THIS! cat >>patcil <<'!NO!SUBS!' +use File::Temp qw/ tempfile tempdir /; + $progname = &profile; # Read ~/.dist_profile require 'getopts.pl'; &usage unless $#ARGV >= 0; @@ -504,12 +506,12 @@ x Toggle patch# prefix. sub edit { local($text) = join("\n", @_); - open(TMP,">/tmp/cil$$") || die "Can't create /tmp/cil$$"; - print TMP $text; - close TMP; - system $EDITOR, "/tmp/cil$$"; - $text = `cat /tmp/cil$$`; - unlink "/tmp/cil$$"; + my $tmp = File::Temp->new(); + print $tmp $text; + close $tmp; + system $EDITOR, "$tmp"; + $text = `cat "$tmp"`; + unlink "$tmp"; $text; } diff --git a/pat/patdiff.SH b/pat/patdiff.SH index 33ba90c..846b058 100755 --- a/pat/patdiff.SH +++ b/pat/patdiff.SH @@ -49,6 +49,8 @@ $startperl !GROK!THIS! cat >>patdiff <<'!NO!SUBS!' +use File::Temp qw/ tempfile tempdir /; + $RCSEXT = ',v' unless $RCSEXT; $TOPDIR = ''; # We are at top-level directory @@ -159,9 +161,11 @@ foreach $file (@ARGV) { close DIFF; system 'rcs', "-Nlastpat:$new", @files; } else { - ©right'expand("co -p -rlastpat $file", "/tmp/pdo$$"); - ©right'expand("co -p -r$new $file", "/tmp/pdn$$"); - open(DIFF, "$mydiff /tmp/pdo$$ /tmp/pdn$$ |") || + my $tmpo = File::Temp->new(); + my $tmpn = File::Temp->new(); + ©right'expand("co -p -rlastpat $file", "$tmpo"); + ©right'expand("co -p -r$new $file", "$tmpn"); + open(DIFF, "$mydiff $tmpo $tmpn |") || die "Can't run $mydiff"; while () { # Contextual or unified diff if ($. == 1) { @@ -177,7 +181,7 @@ foreach $file (@ARGV) { } close DIFF; system 'rcs', "-Nlastpat:$new", @files; - unlink "/tmp/pdn$$", "/tmp/pdo$$"; + unlink "$tmpo", "$tmpn"; } } else { if ($mydiff eq '') { @@ -191,9 +195,11 @@ foreach $file (@ARGV) { } close DIFF; } else { - system "co -p -rlastpat $files >/tmp/pdo$$"; - system "cp $file /tmp/pdn$$"; - open(DIFF, "$mydiff /tmp/pdo$$ /tmp/pdn$$ |") || + my $tmpo = File::Temp->new(); + my $tmpn = File::Temp->new(); + system "co -p -rlastpat $files >$tmpo"; + system "cp $file $tmpn"; + open(DIFF, "$mydiff $tmpo $tmpn |") || die "$progname: can't fork $mydiff: $!\n"; while () { # Contextual or unified diff @@ -209,7 +215,7 @@ foreach $file (@ARGV) { print PATCH; } close DIFF; - unlink "/tmp/pdn$$", "/tmp/pdo$$"; + unlink "$tmpo", "$tmpn"; } } } -- cgit v1.2.3