Alec Berryman
2006-May-15 15:23 UTC
[Secure-testing-team] Bug#334350: fix from Gentoo for "flexbackup default config insecure temporary file creation"
Package: flexbackup
Followup-For: Bug #334350
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gentoo has two patches for this issue. The first [1], attached to bug
#105000 [2], is supposedly from Debian, but was apparently never
uploaded. The patch reportedly breaks remote backups [3], though, and
bug #116510 [4] has a patch [5] that fixes both the original
vulnerability and the subsequent issues with remote backup. The second
patch applies cleanly to Debian''s version, but I have not tested it.
The second patch is attached unmodified.
[1] http://bugs.gentoo.org/attachment.cgi?id=69694&action=view
[2] http://bugs.gentoo.org/show_bug.cgi?id=105000
[3] http://bugs.gentoo.org/show_bug.cgi?id=105000#c15
[4] http://bugs.gentoo.org/show_bug.cgi?id=116510
[5] http://bugs.gentoo.org/attachment.cgi?id=86773&action=view
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaJfEAud/2YgchcQRAgvBAJ94NMAlnvYNvVNykdoTB8ftmcfmbACdHBsg
8TsMQ1YhxSSi5H+TAcSSYXQ=M/2d
-----END PGP SIGNATURE-----
-------------- next part --------------
--- flexbackup 2003-10-10 07:12:09.000000000 -0700
+++ /usr/bin/flexbackup 2006-05-14 13:14:54.000000000 -0700
@@ -269,6 +269,7 @@
untie(%::index);
}
+system (''rm'', ''-rf'', $cfg::tmpdir);
exit(0);
######################################################################
@@ -811,6 +812,11 @@
($remove, @cmds) = &backup_filelist($label, $localdir, $title, $level,
$remote);
}
+ if(defined($remote)) {
+ # create our temporary directory as first remote command
+ unshift(@cmds, &maybe_remote_cmd("$::path{mkdir} -p
$cfg::tmpdir", $remote));
+ }
+
# Nuke any tmp files used in the above routines
if ($remove ne '''') {
push(@cmds, &maybe_remote_cmd("$::path{rm} -f $remove",
$remote));
@@ -827,6 +833,11 @@
push(@cmds, &maybe_remote_cmd("$::path{rm} -f $pkglist",
$remote));
}
}
+
+ if(defined($remote)) {
+ # remove temporary directory as our last remote command
+ push(@cmds, &maybe_remote_cmd("$::path{rm} -rf $cfg::tmpdir",
$remote));
+ }
# Strip multiple spaces
foreach my $cmd (@cmds) {
@@ -2750,8 +2761,9 @@
$::path{''find''} =
&checkinpath(''find'');
$::path{''dd''} = &checkinpath(''dd'');
$::path{''printf''} =
&checkinpath(''printf'');
+ $::path{''mkdir''} =
&checkinpath(''mkdir'');
-
push(@::remoteprogs,($::path{''touch''},$::path{''rm''},$::path{''find''},$::path{''printf''}));
+
push(@::remoteprogs,($::path{''touch''},$::path{''rm''},$::path{''find''},$::path{''printf''},$::path{''mkdir''}));
# Check device (or dir)
$::ftape = 0;
@@ -3442,6 +3454,15 @@
push(@::errors,"\$tmpdir $cfg::tmpdir is not writable");
}
+ $cfg::hostname = `hostname`;
+ chomp($cfg::hostname);
+
+ # Use a subdirectory of the user-specified directory as our tmpdir
+ # Also note that we make it closer to globally unique as we sometimes
+ # use this variable for remote systems, so PID isn''t enough
+ $cfg::tmpdir = $cfg::tmpdir
.''/flexbackup.''.$$.''.''.$cfg::hostname;
+ mkdir ($cfg::tmpdir) || die "Can''t create temporary
directory, $!";
+
# Levels
if (defined($::opt{''level''}) and
(defined($::opt{''incremental''}) or
@@ -5236,8 +5257,8 @@
# Create a script which tests the buffer program
open(SCR,"> $tmp_script") || die;
print SCR "#!/bin/sh\n";
- print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
- print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
+ print SCR "tmp_data=\`tempfile\`\n";
+ print SCR "tmp_err=\`tempfile\`\n";
print SCR "echo testme > \$tmp_data\n";
print SCR "$buffer_cmd > /dev/null 2> \$tmp_err <
\$tmp_data\n";
print SCR "res=\$?\n";