Jan Hauke Rahm
2008-Sep-14 11:45 UTC
[Secure-testing-team] Bug#498901: Unsecure use of temporary files
Package: smsclient
Version: 2.0.8z-10
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224
Hi Jonathan,
you are using the process id in a shell script to create a "random"
temporary file (in contrib/mail2sms-shell/mail2sms.sh). Although this is
just documentation users could simply copy and paste the script which
would lead to a security issue on their system. I''d appreciate if you
fixed that.
The patch below tries to solve that problem and by the way fixes your
bashism bug #489661.
Please test thoroughly and upload ASAP if appropriate.
Cheers,
Hauke
*** bashandtmp.patch
diff -Naur smsclient-2.0.8z~/contrib/mail2sms-shell/mail2sms.sh
smsclient-2.0.8z/contrib/mail2sms-shell/mail2sms.sh
- --- smsclient-2.0.8z~/contrib/mail2sms-shell/mail2sms.sh 2008-09-14
13:34:37.000000000 +0200
+++ smsclient-2.0.8z/contrib/mail2sms-shell/mail2sms.sh 2008-09-14
13:39:16.000000000 +0200
@@ -8,12 +8,14 @@
# By Andy Hawkins (andy at gently.demon.co.uk)
- -/usr/bin/cp /dev/null /tmp/header.$$
+tmpfile=`mktemp header.XXXXXXXXXX`
+tmpfile2=`mktemp body.XXXXXXXXXX`
+/usr/bin/cp /dev/null $tmpfile
ELINE=0
while [ $ELINE -lt 3 ]
do
read LINE
- - echo "$LINE" >> /tmp/header.$$
+ echo "$LINE" >> $tmpfile
if [ "$LINE" = "" ]
then
ELINE=3
@@ -22,18 +24,18 @@
fi
done
- -SENDER=`head -n 1 /tmp/header.$$ | awk ''{print $2}''`
- -TARGET=`grep ^Subject: /tmp/header.$$ | awk ''{print $2}''`
+SENDER=`head -n 1 $tmpfile | awk ''{print $2}''`
+TARGET=`grep ^Subject: $tmpfile | awk ''{print $2}''`
ELINE=0
while [ $ELINE -lt 2 ]
do
read LINE
- - echo "$LINE" >> /tmp/body.$$
+ echo "$LINE" >> $tmpfile2
if [ "$LINE" = "" ]
then
- - let ELINE=ELINE+1
+ ELINE=$((ELINE+1))
else
ELINE=0
fi
@@ -45,7 +47,7 @@
SENT=0
while [ $RETRY -gt 1 ] && [ $SENT -eq 0 ]
do
- - MSG=`cat /tmp/body.$$`
+ MSG=`cat $tmpfile2`
/usr/bin/sms_client $TARGET "$MSG" >> /tmp/sms.log
case $? in
0) /bin/mailx -s "SMS success to $TARGET" $SENDER < /dev/null
@@ -63,7 +65,7 @@
SENT=1;;
*)
sleep 10
- - let RETRY=RETRY-1;;
+ RETRY=$((RETRY-1));;
esac
done
@@ -74,5 +76,5 @@
exit
fi
- -rm /tmp/header.$$
- -rm /tmp/body.$$
+rm $tmpfile
+rm $tmpfile2
- -- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (700, ''testing''), (600,
''unstable''), (500, ''experimental'')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iFYEARELAAYFAkjM+VQACgkQGOp6XeD8cQ0/yQDePghgg3MczNy3N68k6vXIyHrd
1NZNuKQ65Om2BwDfWjxEQolj733VY9bKH1pFqPk1zUQGUyGiEqGbUA==Jpnr
-----END PGP SIGNATURE-----