1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
From 827f2bdd369907ce7510268c6c01a350dd7cb57d Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <srivasta@debian.org>
Date: Fri, 29 Aug 2008 17:53:34 -0500
Subject: [PATCH 2/4] Fix unsafe use of symbolic links in /tmp
If a script uses a temp file which is created in /tmp, then an
attacker can create symlink with the same name in this directory in
order to destroy or rewrite some system or user files. Symlink attack
may also lead not only to the data desctruction but to denial of
service as well. Creating files with rand or pid to randomize the file
names is not adequate to protect the system.
We now use File::Temp to safely create the temporary files as needed.
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
---
pat/patcil.SH | 14 ++++++++------
pat/patdiff.SH | 22 ++++++++++++++--------
2 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/pat/patcil.SH b/pat/patcil.SH
index c6912b3..d8d0511 100755
--- a/pat/patcil.SH
+++ b/pat/patcil.SH
@@ -61,6 +61,8 @@ $startperl
!GROK!THIS!
cat >>patcil <<'!NO!SUBS!'
+use File::Temp qw/ tempfile tempdir /;
+
$progname = &profile; # Read ~/.dist_profile
require 'getopts.pl';
&usage unless $#ARGV >= 0;
@@ -504,12 +506,12 @@ x Toggle patch# prefix.
sub edit {
local($text) = join("\n", @_);
- open(TMP,">/tmp/cil$$") || die "Can't create /tmp/cil$$";
- print TMP $text;
- close TMP;
- system $EDITOR, "/tmp/cil$$";
- $text = `cat /tmp/cil$$`;
- unlink "/tmp/cil$$";
+ my $tmp = File::Temp->new();
+ print $tmp $text;
+ close $tmp;
+ system $EDITOR, "$tmp";
+ $text = `cat "$tmp"`;
+ unlink "$tmp";
$text;
}
diff --git a/pat/patdiff.SH b/pat/patdiff.SH
index 991d4bf..3ca1973 100755
--- a/pat/patdiff.SH
+++ b/pat/patdiff.SH
@@ -49,6 +49,8 @@ $startperl
!GROK!THIS!
cat >>patdiff <<'!NO!SUBS!'
+use File::Temp qw/ tempfile tempdir /;
+
$RCSEXT = ',v' unless $RCSEXT;
$TOPDIR = ''; # We are at top-level directory
@@ -159,9 +161,11 @@ foreach $file (@ARGV) {
close DIFF;
system 'rcs', "-Nlastpat:$new", @files;
} else {
- ©right'expand("co -p -rlastpat $file", "/tmp/pdo$$");
- ©right'expand("co -p -r$new $file", "/tmp/pdn$$");
- open(DIFF, "$mydiff /tmp/pdo$$ /tmp/pdn$$ |") ||
+ my $tmpo = File::Temp->new();
+ my $tmpn = File::Temp->new();
+ ©right'expand("co -p -rlastpat $file", "$tmpo");
+ ©right'expand("co -p -r$new $file", "$tmpn");
+ open(DIFF, "$mydiff $tmpo $tmpn |") ||
die "Can't run $mydiff";
while (<DIFF>) { # Contextual or unified diff
if ($. == 1) {
@@ -177,7 +181,7 @@ foreach $file (@ARGV) {
}
close DIFF;
system 'rcs', "-Nlastpat:$new", @files;
- unlink "/tmp/pdn$$", "/tmp/pdo$$";
+ unlink "$tmpo", "$tmpn";
}
} else {
if ($mydiff eq '') {
@@ -191,9 +195,11 @@ foreach $file (@ARGV) {
}
close DIFF;
} else {
- system "co -p -rlastpat $files >/tmp/pdo$$";
- system "cp $file /tmp/pdn$$";
- open(DIFF, "$mydiff /tmp/pdo$$ /tmp/pdn$$ |") ||
+ my $tmpo = File::Temp->new();
+ my $tmpn = File::Temp->new();
+ system "co -p -rlastpat $files >$tmpo";
+ system "cp $file $tmpn";
+ open(DIFF, "$mydiff $tmpo $tmpn |") ||
die "$progname: can't fork $mydiff: $!\n";
while (<DIFF>) {
# Contextual or unified diff
@@ -209,7 +215,7 @@ foreach $file (@ARGV) {
print PATCH;
}
close DIFF;
- unlink "/tmp/pdn$$", "/tmp/pdo$$";
+ unlink "$tmpo", "$tmpn";
}
}
}
--
2.0.0.rc0
|
