Bug 86168 - (CVE-2005-1759) VUL-0: CVE-2005-1759: shtool: tmpfile handling issue in shtool
(CVE-2005-1759)
VUL-0: CVE-2005-1759: shtool: tmpfile handling issue in shtool
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other All
: P5 - None : Normal
: ---
Assigned To: Joerg Arndt
Security Team bot
CVE-2005-1759: CVSS v2 Base Score: 1....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-27 07:03 UTC by Thomas Biege
Modified: 2021-11-03 14:39 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
shtool-2.0.1-fix-insecure-tmp-creation.diff (509 bytes, patch)
2005-05-27 07:05 UTC, Thomas Biege
Details | Diff
shtool.gen.diff (3.38 KB, patch)
2005-06-15 14:03 UTC, Thomas Biege
Details | Diff
shtool.src.diff (3.27 KB, patch)
2005-06-15 14:03 UTC, Thomas Biege
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-05-27 07:03:09 UTC
This one came in over vendor-sec.

Subject: [vendor-sec] shtool tempfile handling vulnerability
Errors-To: vendor-sec-admin@lst.de
Date: Thu, 26 May 2005 13:55:15 +0200

[-- PGP Ausgabe folgt (aktuelle Zeit: Fr 27 Mai 2005 08:57:20 CEST) --]
gpg: Unterschrift vom Do 26 Mai 2005 13:55:19 CEST, DSA SchlÃŒssel ID B6A55F4F
gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden
[-- Ende der PGP-Ausgabe --]

[-- Die folgenden Daten sind signiert --]

[-- Anhang #1 --]
[-- Typ: text/plain, Kodierung: 7bit, GröÃe: 0,7K --]

Eric Romang reported a tempfile-handling issue in shtool, see :
http://www.zataz.net/adviso/shtool-05252005.txt

Our team proposed the attached patch, which was sent by the reporter to
upstream.

The problem is that shtool code is copied in many other packages,
including (but probably not limited to) PHP, OpenLDAP and ocaml-mysql.
Reporter said he would forward the patch to all affected upstream
authors but also disclosed the shtool vulnerability at the same time.

Steven: could you assign a CAN number to it ?

Our GLSA will go out once all affected packages in our tree get fixed,
which should take several days.

--
Comment 1 Thomas Biege 2005-05-27 07:03:23 UTC
From: "Steven M. Christey" <coley@linus.mitre.org>
To: Thierry Carrez <koon@gentoo.org>
Cc: vendor-sec@lst.de, coley@linus.mitre.org
Subject: [vendor-sec] Re: shtool tempfile handling vulnerability
Errors-To: vendor-sec-admin@lst.de
Date: Thu, 26 May 2005 13:00:12 -0400 (EDT)


Here's the CAN.

======================================================
Candidate: CAN-2005-1751
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751
Reference: VULNWATCH:20050525 shtool insecure temporary file creation
Reference: MISC:http://www.zataz.net/adviso/shtool-05252005.txt
Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=93782

Race condition in shtool 2.0.1 and earlier allows local users to
create or modify arbitrary files via a symlink attack on the
.shtool.$$ temporary file.



_______________________________________________
Comment 2 Thomas Biege 2005-05-27 07:05:13 UTC
Created attachment 38239 [details]
shtool-2.0.1-fix-insecure-tmp-creation.diff
Comment 3 Thomas Biege 2005-05-27 07:07:51 UTC
maybe shtools != shtool
Comment 4 Peter Poeml 2005-05-27 08:44:59 UTC
It's the GNU portable shell tool (not related to our package
shtools, which is a collection of other shell scripts, and was dropped
some time ago). It is packaged only with php4-devel and php5-devel, as
far as I can see, and it is affected by this vulnerability.
Comment 5 Peter Poeml 2005-05-27 08:47:23 UTC
Michal, is a php update currently going on, just by chance?

(If you have no time to handle it, just assign it to me.)
Comment 6 Thomas Biege 2005-05-30 11:25:58 UTC
> Eric Romang reported a tempfile-handling issue in shtool, see :
> http://www.zataz.net/adviso/shtool-05252005.txt

I had a closer look and found more tmpfile vulnerabilities in shtool :

Reuse of old tempfiles :

rm -f $tmpfile >/dev/null 2>&1
touch $tmpfile

Use of extensions on the already existing $tmpfile, for example :

echo >$tmpfile.c "#include <assert.h>"
echo >>$tmpfile.c "Syntax Error"
cpp="${CC-cc} -E"
(eval "$cpp $tmpfile.c >/dev/null") 2>$tmpfile.out

Tavis Ormandy proposed the following patch, which avoids using mktemp to
be more portable, by creating a directory into which shtool can do its
dirty tricks.

--
Thierry Carrez (Koon)
Gentoo Linux Security
Comment 7 Thomas Biege 2005-05-30 11:26:56 UTC
> Thierry Carrez wrote:
> > Eric Romang reported a tempfile-handling issue in shtool, see :
> > http://www.zataz.net/adviso/shtool-05252005.txt
>
> I had a closer look and found more tmpfile vulnerabilities in shtool :

This is where multiple disclosures/bugs get fun for CVE.

Continue to use CAN-2005-1751 for the .shtool.$$ issue discovered and
published by Romang.

However, use CAN-2005-1759 for the Gentoo-discovered variants.

- Steve
_______________________________________________
Vendor Security mailing list
Comment 8 Petr Ostadal 2005-05-30 16:53:49 UTC
Michal Cihar is leaving SuSE, I am new maintainer of php.
Comment 9 Petr Ostadal 2005-05-31 17:58:33 UTC
fixed and submited following packages:
mod_php4 for sles8, 8.2, 9.0
php4 for 9.1, SLES9, 9.2, 9.3, stable
php5 for 9.3 (for stable will be later)
Comment 10 Marcus Meissner 2005-06-01 09:34:46 UTC
please fix only pacvkages where the problem will exist on the users side. 
 
if shtool is just used for building a fix is not necessary for older products. 
Comment 11 Peter Poeml 2005-06-01 11:12:21 UTC
phpize (the script which users use to build php extension modules on
their system) checks for shtool being present, and puts it in to the
configure script generated. 

 % phpize
Configuring for:
PHP Api Version:         20020918
Zend Module Api No:      20020429
Zend Extension Api No:   20021010
/usr/share/aclocal/gtkextra.m4:8: warning: underquoted definition of AM_PATH_GTKEXTRA
  run info '(automake)Extending aclocal'
  or see http://sources.redhat.com/automake/automake.html#Extending%20aclocal
/usr/local/share/aclocal/gtkextra.m4:8: warning: underquoted definition of AM_PATH_GTKEXTRA
 % grep -r shtool . | grep -v "^./build/shtool"
./acinclude.m4:  $php_shtool mkdir -p $BUILD_DIR
./Makefile.global:mkinstalldirs = $(top_srcdir)/build/shtool mkdir -p
./Makefile.global:INSTALL = $(top_srcdir)/build/shtool install -c
./ltmain.sh:       # Allow the use of GNU shtool's install command.
./ltmain.sh:       $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then
./autom4te.cache/output.0:  elif test -f $ac_dir/shtool; then
./autom4te.cache/output.0:    ac_install_sh="$ac_aux_dir/shtool install -c"
./autom4te.cache/output.0:  $php_shtool mkdir -p $BUILD_DIR
./autom4te.cache/output.1:  elif test -f $ac_dir/shtool; then
./autom4te.cache/output.1:    ac_install_sh="$ac_aux_dir/shtool install -c"
./autom4te.cache/output.1:  $php_shtool mkdir -p $BUILD_DIR
./configure:  elif test -f $ac_dir/shtool; then
./configure:    ac_install_sh="$ac_aux_dir/shtool install -c"
./configure:  $php_shtool mkdir -p $BUILD_DIR

The used actions ("mkdir" and "install") don't seem to involve temp file
creation in /tmp, though, do they?
Comment 12 Thomas Biege 2005-06-14 07:11:51 UTC
Thierry Carrez wrote:

> Eric Romang reported a tempfile-handling issue in shtool, see :
> http://www.zataz.net/adviso/shtool-05252005.txt
>
> Our team proposed the attached patch, which was sent by the reporter to
> upstream.
>
> The problem is that shtool code is copied in many other packages,
> including (but probably not limited to) PHP, OpenLDAP and ocaml-mysql.

Small follow-up :

Tavis Ormandy inspected the PHP and OpenLDAP shtool calls and concluded
that they are using only safe functions. ocaml-mysql, though, makes use
of affected code.

We were unsuccessful getting feedback from shtool (or ocaml-mysql)
upstream. Our GLSA should go out sometime in the next 24 hours.

--
Thierry Carrez (Koon)
Gentoo Linux Security
Comment 13 Thomas Biege 2005-06-15 09:27:12 UTC
Joerg,
can you have a look if this really affects the ocaml code we ship. I doubt it...
Comment 14 Thomas Biege 2005-06-15 14:00:46 UTC
> We were unsuccessful getting feedback from shtool (or ocaml-mysql)
> upstream. Our GLSA should go out sometime in the next 24 hours.

Sorry, the mails to rse@gnu.org have not reached me as GNU seem to have
accidently destroyed my mail forwarding and the bug-shtool@gnu.org mail
were filed to my SPAM folder.

I've today fixed the issue with GNU shtool 2.0.2 and we're also rolling
a mass of OpenPKG update packages today. Attached you find my official
patch for this issue: shtool.src.diff is against the GNU shtool sources,
shtool.gen.diff is against a generated "shtool" script as of version
2.0.1.
                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com


[-- Anhang #2: shtool.src.diff --]
Comment 15 Thomas Biege 2005-06-15 14:03:06 UTC
Created attachment 39274 [details]
shtool.gen.diff
Comment 16 Thomas Biege 2005-06-15 14:03:29 UTC
Created attachment 39275 [details]
shtool.src.diff
Comment 17 Marcus Meissner 2005-08-15 12:29:57 UTC
will be fixed in stable (not for old) 
Comment 18 Thomas Biege 2009-10-13 21:24:58 UTC
CVE-2005-1759: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)