Subject: pkg/18748: www/mozilla/files/moz-install contains a temp-file security vulnerability
To: None <gnats-bugs@gnats.netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 10/21/2002 02:42:19
>Number:         18748
>Category:       pkg
>Synopsis:       www/mozilla/files/moz-install contains a temp-file security vulnerability
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 20 23:43:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Greg A. Woods
>Release:        pkgsr-current 2001/10/19
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Environment:
System: NetBSD

>Description:

	The www/mozilla/files/moz-install, which must normally be run as
	root, uses a temporary file in a normally world-writable
	directory that is vulnerable to symlink creation races.  There
	is no need to use /tmp here -- the ${WRKDIR} is just fine, and
	though it may be writable by the person who initiated the build,
	the result of the build will be installed as root, and two of
	the installed binaries will be run as root, so protecting root
	from the builder is really pointless.

	the same script also uses an incorrect set of signal numbers on
	its cleanup trap.  Fatal errors such as SIGBUS and SIGSEGV and
	SIGQUIT should not try to clean up nicely -- only "normal"
	termination should do cleanup.

>How-To-Repeat:

	by examination

>Fix:

Index: www/mozilla/files/moz-install
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/www/mozilla/files/moz-install,v
retrieving revision 1.3
diff -c -r1.3 moz-install
*** www/mozilla/files/moz-install	19 Oct 2002 15:00:02 -0000	1.3
--- www/mozilla/files/moz-install	21 Oct 2002 05:57:35 -0000
***************
*** 10,17 ****
  #
  #	Substitute variables
  #
! TMP_PLIST=/tmp/TMP_PLIST.$$
! trap "${RM} -f ${TMP_PLIST}" 1 2 3 10 11
  
  ${SED} -e "s/\${MOZILLA}/${MOZILLA}/g" -e "s/\${SO_SUFFIX}/${SO_SUFFIX}/" -e "s/\${MOZILLA_BIN}/${MOZILLA_BIN}/g" < ${PLIST_SRC} > ${TMP_PLIST}
  
--- 10,17 ----
  #
  #	Substitute variables
  #
! TMP_PLIST=${WRKDIR}/TMP_PLIST.$$
! trap "${RM} -f ${TMP_PLIST}" 1 2 15
  
  ${SED} -e "s/\${MOZILLA}/${MOZILLA}/g" -e "s/\${SO_SUFFIX}/${SO_SUFFIX}/" -e "s/\${MOZILLA_BIN}/${MOZILLA_BIN}/g" < ${PLIST_SRC} > ${TMP_PLIST}
  
>Release-Note:
>Audit-Trail:
>Unformatted: