Bug 21292 - bash creates insecure tmp files
bash creates insecure tmp files
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: bash (Show other bugs)
6.2
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-11-24 04:29 EST by BORBELY Zoltan
Modified: 2007-03-26 23:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-27 10:54:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed fix (558 bytes, patch)
2000-11-24 08:20 EST, Bernhard Rosenkraenzer
no flags Details | Diff
Fixed patch (815 bytes, patch)
2000-11-24 08:55 EST, Bernhard Rosenkraenzer
no flags Details | Diff

  None (edit)
Description BORBELY Zoltan 2000-11-24 04:29:22 EST
I've read a mail from BUGTRAQ written by Paul Szabo
http://www.securityfocus.com/templates/archive.pike?list=1&mid=146657
about sh << vulnerability (the same as the tcsh vulnerability). I've tested
it under redhat/i386 6.2. The bash1 contains the same bug, incorrectly
create (without the O_EXCL flag) temporary files. Probably other redhat
versions affected too.

#!/bin/bash
ls -l /tmp/nologin
ln -s /tmp/nologin /tmp/t$[$$+3]-sh
cat <<EOF
Only root can create /etc/nologin.
Do any boot-time scripts use sh?
EOF
ls -l /tmp/nologin
cat
/tmp/nologin                                                                

I've checked this with bash2, it isn't vulnerable (bash2 uses the O_EXCL
flag when creating tmp files).
Comment 1 Bernhard Rosenkraenzer 2000-11-24 08:20:53 EST
Created attachment 5702 [details]
Proposed fix
Comment 2 Bernhard Rosenkraenzer 2000-11-24 08:28:04 EST
Working on it - the patch I've attached should fix the problem.
Comment 3 Bernhard Rosenkraenzer 2000-11-24 08:55:36 EST
Created attachment 5703 [details]
Fixed patch
Comment 4 Bernhard Rosenkraenzer 2000-11-24 08:56:01 EST
Oops, forgot about the umask().
Comment 5 Bernhard Rosenkraenzer 2000-11-27 12:35:44 EST
Update released.

Note You need to log in before you can comment on or make changes to this bug.