Bug 154991 - sharutils CAN-2005-0990 unsecure temp file usage
sharutils CAN-2005-0990 unsecure temp file usage
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: sharutils (Show other bugs)
fc2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1, rh90, rh73, 2
: Security
Depends On: 154051
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-15 10:14 EDT by Matthew Miller
Modified: 2007-04-18 13:23 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-10 17:27:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Miller 2005-04-15 10:14:06 EDT
+++ This bug was initially created as a clone of Bug #154051 +++
+++ This bug was initially created as a clone of Bug #154049 +++

The way sharutils handles temporary files is insecure (as reported by the Debian
BTS):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=302412

The Debian bug contains a patch for this issue.

--------------------------------------------------------------------------

Looks like this update missed the FC2 cutoff -- cloning into Fedora Legacy.

Red Hat folks: is the sharutils-4.2.1-18.2.FC2 package available anywhere? Thanks!
Comment 1 Marc Deslauriers 2005-04-16 10:46:53 EDT
We must make sure CAN-2004-1772 and CAN-2004-1773 are fixed as well.
Comment 2 Marc Deslauriers 2005-04-17 15:02:14 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated sharutils packages to QA:

CAN-2004-1772 and CAN-2004-1773 were already fixed by the previous releases.

* Sun Apr 17 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.2.1-18.2.FC2.legacy
- - Added security fix for CAN-2005-0990

db20b5b266606ea3be47b8949e3c9d0521eed447 
7.3/sharutils-4.2.1-12.7.x.1.legacy.i386.rpm
912ccce0d30fd6d204dcf4b31a9669327b45db70 
7.3/sharutils-4.2.1-12.7.x.1.legacy.src.rpm
be09a817e162bf805020e6d4fa472d97e947fda4  9/sharutils-4.2.1-16.9.2.legacy.i386.rpm
26714a4f61079b052abc06bb133fd139bd30e4df  9/sharutils-4.2.1-16.9.2.legacy.src.rpm
7d4e573758b23331ce897e443d184a00e2bedfad  1/sharutils-4.2.1-17.3.legacy.i386.rpm
df61b5902ef81dda6d88070f9b7a6d70c084ee37  1/sharutils-4.2.1-17.3.legacy.src.rpm
c8230aa4bb70a49e570ba555be14f6b6c30df8d6  2/sharutils-4.2.1-18.2.FC2.legacy.i386.rpm
3b9afd8a6af04756abf245c76608d8aa376ff707  2/sharutils-4.2.1-18.2.FC2.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/sharutils-4.2.1-12.7.x.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/sharutils-4.2.1-12.7.x.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/sharutils-4.2.1-16.9.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/sharutils-4.2.1-16.9.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/sharutils-4.2.1-17.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/sharutils-4.2.1-17.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/sharutils-4.2.1-18.2.FC2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/sharutils-4.2.1-18.2.FC2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCYrJsLMAs/0C4zNoRAnXHAJ9IYlmZimvtdRC1gM1VhmBL2O2tBwCfa71S
7DIbk4ouW2TJqNOKkADaj6M=
=w2gp
-----END PGP SIGNATURE-----
Comment 3 Ngo Than 2005-04-18 11:20:20 EDT
You will find the sharutils-4.2.1-18.2.FC2 srpm on tp://people.redhat.com/than/fc2
Comment 4 Marc Deslauriers 2005-04-18 18:48:29 EDT
This bug must go through the FL QA process...
Comment 5 Pekka Savola 2005-04-20 14:45:57 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:

 - source integrity good
 - patch verified to come from debian
 - spec file changes minimal

+PUBLISH RHL73,RHL9,FC1,FC2

912ccce0d30fd6d204dcf4b31a9669327b45db70  sharutils-4.2.1-12.7.x.1.legacy.src.rpm
26714a4f61079b052abc06bb133fd139bd30e4df  sharutils-4.2.1-16.9.2.legacy.src.rpm
df61b5902ef81dda6d88070f9b7a6d70c084ee37  sharutils-4.2.1-17.3.legacy.src.rpm
3b9afd8a6af04756abf245c76608d8aa376ff707  sharutils-4.2.1-18.2.FC2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCZqMsGHbTkzxSL7QRApFtAJ47pdG4qvkb9FXKAFE+ledZ6ub+sgCfcbwh
WxVMHuAnK4u+bSxzX96WvWk=
=x+RO
-----END PGP SIGNATURE-----
Comment 6 Michal Jaegermann 2005-04-30 20:22:11 EDT
The same patch is also used in FC3 sources (which caught up recently with
other security patch present in Legacy sources from October last year).
This should be a "no brainer" publish.
Comment 7 Marc Deslauriers 2005-05-02 08:05:41 EDT
Packages were pushed to updates-testing
Comment 8 Tom Yates 2005-05-02 10:59:44 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

00132d8850d0db03c6adae00ecece7c99de20223 sharutils-4.2.1-16.9.2.legacy.i386.rpm

installs OK.  if i read the debian report aright, the bug specifically
affects the unshar command, so:

[madhatta@www foo]$ sha1sum fred
6d89a576fc098afae3dd5a40531c2f34ffeabcf0  fred
[madhatta@www foo]$ shar fred > fred.shar
shar: Saving fred (text)
[madhatta@www foo]$ rm fred
[madhatta@www foo]$ unshar fred.shar
/home/madhatta/tmp/foo/fred.shar:
x - creating lock directory
x - extracting fred (text)
[madhatta@www foo]$ sha1sum fred
6d89a576fc098afae3dd5a40531c2f34ffeabcf0  fred
[madhatta@www foo]$

looks like unshar works, at least on a trivial case.  i don't really use it
much, so can't give it thorough workout (sorry).

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCdkAWePtvKV31zw4RAmC/AKCOColeJs1b4sK6PP8JpR0GUyg8nACbBbzd
6RdlTomn3HzjiPjC/3cEL0s=
=Y0wn
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2005-05-03 06:38:44 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA on RHL73:
 
I created a shar file and unsharred it fine.
 
I didn't manage to see anything interesting when I straced 'unshar
archive.shar' but when I straced 'sh ./archive.shar', I did notice a temp
file was being created with a reasonable randomness, so this should be OK.
 
[pid  4889] open("/tmp/sh-thd-2963738994",
O_WRONLY|O_CREAT|O_TRUNC|O_EXCL|O_LARGEFILE, 0600) = 3
[pid  4889] open("/tmp/sh-thd-2963738994", O_RDONLY|O_LARGEFILE) = 4
 
+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCd1SDGHbTkzxSL7QRAr/ZAKCl2pm0O5nPC/qCaXuiv72HJEtIgwCggoMq
zDMbAaOFGMZ6zjlrsBBwVMg=
=prix
-----END PGP SIGNATURE-----
Comment 10 Mikhail Koshelev 2005-05-04 05:31:21 EDT
RH73 package in updates (sharutils-4.2.1-12.7.x.legacy.i386.rpm) wins version
comparision with new package in updates-testing
(sharutils-4.2.1-12.7.x.1.legacy.i386.rpm).

$ rpmver -v 4.2.1-12.7.x.1.legacy 4.2.1-12.7.x.legacy
RPM version 4.2.1-12.7.x.1.legacy is lesser than version 4.2.1-12.7.x.legacy.

Version bump is needed.
Comment 11 Marc Deslauriers 2005-05-05 22:07:26 EDT
Version bump was done on rh73 packages in updates-testing.
Comment 12 Pekka Savola 2005-06-16 08:42:09 EDT
Two verifys, timeout in 2 weeks.
Comment 13 Pekka Savola 2005-07-01 14:39:52 EDT
Timeout over, to be released.
Comment 14 Marc Deslauriers 2005-07-10 17:27:20 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.