Subject: pkg/18748: www/mozilla/files/moz-install contains a temp-file security vulnerability
To: None <gnats-bugs@gnats.netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 10/21/2002 02:42:19
>Number: 18748
>Category: pkg
>Synopsis: www/mozilla/files/moz-install contains a temp-file security vulnerability
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Oct 20 23:43:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Greg A. Woods
>Release: pkgsr-current 2001/10/19
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Environment:
System: NetBSD
>Description:
The www/mozilla/files/moz-install, which must normally be run as
root, uses a temporary file in a normally world-writable
directory that is vulnerable to symlink creation races. There
is no need to use /tmp here -- the ${WRKDIR} is just fine, and
though it may be writable by the person who initiated the build,
the result of the build will be installed as root, and two of
the installed binaries will be run as root, so protecting root
from the builder is really pointless.
the same script also uses an incorrect set of signal numbers on
its cleanup trap. Fatal errors such as SIGBUS and SIGSEGV and
SIGQUIT should not try to clean up nicely -- only "normal"
termination should do cleanup.
>How-To-Repeat:
by examination
>Fix:
Index: www/mozilla/files/moz-install
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/www/mozilla/files/moz-install,v
retrieving revision 1.3
diff -c -r1.3 moz-install
*** www/mozilla/files/moz-install 19 Oct 2002 15:00:02 -0000 1.3
--- www/mozilla/files/moz-install 21 Oct 2002 05:57:35 -0000
***************
*** 10,17 ****
#
# Substitute variables
#
! TMP_PLIST=/tmp/TMP_PLIST.$$
! trap "${RM} -f ${TMP_PLIST}" 1 2 3 10 11
${SED} -e "s/\${MOZILLA}/${MOZILLA}/g" -e "s/\${SO_SUFFIX}/${SO_SUFFIX}/" -e "s/\${MOZILLA_BIN}/${MOZILLA_BIN}/g" < ${PLIST_SRC} > ${TMP_PLIST}
--- 10,17 ----
#
# Substitute variables
#
! TMP_PLIST=${WRKDIR}/TMP_PLIST.$$
! trap "${RM} -f ${TMP_PLIST}" 1 2 15
${SED} -e "s/\${MOZILLA}/${MOZILLA}/g" -e "s/\${SO_SUFFIX}/${SO_SUFFIX}/" -e "s/\${MOZILLA_BIN}/${MOZILLA_BIN}/g" < ${PLIST_SRC} > ${TMP_PLIST}
>Release-Note:
>Audit-Trail:
>Unformatted: