Bug 21292 - bash creates insecure tmp files
Summary: bash creates insecure tmp files
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: bash   
(Show other bugs)
Version: 6.2
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-11-24 09:29 UTC by BORBELY Zoltan
Modified: 2007-03-27 03:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-27 15:54:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed fix (558 bytes, patch)
2000-11-24 13:20 UTC, Bernhard Rosenkraenzer
no flags Details | Diff
Fixed patch (815 bytes, patch)
2000-11-24 13:55 UTC, Bernhard Rosenkraenzer
no flags Details | Diff

Description BORBELY Zoltan 2000-11-24 09:29:22 UTC
I've read a mail from BUGTRAQ written by Paul Szabo
http://www.securityfocus.com/templates/archive.pike?list=1&mid=146657
about sh << vulnerability (the same as the tcsh vulnerability). I've tested
it under redhat/i386 6.2. The bash1 contains the same bug, incorrectly
create (without the O_EXCL flag) temporary files. Probably other redhat
versions affected too.

#!/bin/bash
ls -l /tmp/nologin
ln -s /tmp/nologin /tmp/t$[$$+3]-sh
cat <<EOF
Only root can create /etc/nologin.
Do any boot-time scripts use sh?
EOF
ls -l /tmp/nologin
cat
/tmp/nologin                                                                

I've checked this with bash2, it isn't vulnerable (bash2 uses the O_EXCL
flag when creating tmp files).

Comment 1 Bernhard Rosenkraenzer 2000-11-24 13:20:53 UTC
Created attachment 5702 [details]
Proposed fix

Comment 2 Bernhard Rosenkraenzer 2000-11-24 13:28:04 UTC
Working on it - the patch I've attached should fix the problem.

Comment 3 Bernhard Rosenkraenzer 2000-11-24 13:55:36 UTC
Created attachment 5703 [details]
Fixed patch

Comment 4 Bernhard Rosenkraenzer 2000-11-24 13:56:01 UTC
Oops, forgot about the umask().

Comment 5 Bernhard Rosenkraenzer 2000-11-27 17:35:44 UTC
Update released.


Note You need to log in before you can comment on or make changes to this bug.