Bugzilla – Bug 86168
VUL-0: CVE-2005-1759: shtool: tmpfile handling issue in shtool
Last modified: 2021-11-03 14:39:53 UTC
This one came in over vendor-sec. Subject: [vendor-sec] shtool tempfile handling vulnerability Errors-To: vendor-sec-admin@lst.de Date: Thu, 26 May 2005 13:55:15 +0200 [-- PGP Ausgabe folgt (aktuelle Zeit: Fr 27 Mai 2005 08:57:20 CEST) --] gpg: Unterschrift vom Do 26 Mai 2005 13:55:19 CEST, DSA SchlÃŒssel ID B6A55F4F gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, GröÃe: 0,7K --] Eric Romang reported a tempfile-handling issue in shtool, see : http://www.zataz.net/adviso/shtool-05252005.txt Our team proposed the attached patch, which was sent by the reporter to upstream. The problem is that shtool code is copied in many other packages, including (but probably not limited to) PHP, OpenLDAP and ocaml-mysql. Reporter said he would forward the patch to all affected upstream authors but also disclosed the shtool vulnerability at the same time. Steven: could you assign a CAN number to it ? Our GLSA will go out once all affected packages in our tree get fixed, which should take several days. --
From: "Steven M. Christey" <coley@linus.mitre.org> To: Thierry Carrez <koon@gentoo.org> Cc: vendor-sec@lst.de, coley@linus.mitre.org Subject: [vendor-sec] Re: shtool tempfile handling vulnerability Errors-To: vendor-sec-admin@lst.de Date: Thu, 26 May 2005 13:00:12 -0400 (EDT) Here's the CAN. ====================================================== Candidate: CAN-2005-1751 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751 Reference: VULNWATCH:20050525 shtool insecure temporary file creation Reference: MISC:http://www.zataz.net/adviso/shtool-05252005.txt Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=93782 Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file. _______________________________________________
Created attachment 38239 [details] shtool-2.0.1-fix-insecure-tmp-creation.diff
maybe shtools != shtool
It's the GNU portable shell tool (not related to our package shtools, which is a collection of other shell scripts, and was dropped some time ago). It is packaged only with php4-devel and php5-devel, as far as I can see, and it is affected by this vulnerability.
Michal, is a php update currently going on, just by chance? (If you have no time to handle it, just assign it to me.)
> Eric Romang reported a tempfile-handling issue in shtool, see : > http://www.zataz.net/adviso/shtool-05252005.txt I had a closer look and found more tmpfile vulnerabilities in shtool : Reuse of old tempfiles : rm -f $tmpfile >/dev/null 2>&1 touch $tmpfile Use of extensions on the already existing $tmpfile, for example : echo >$tmpfile.c "#include <assert.h>" echo >>$tmpfile.c "Syntax Error" cpp="${CC-cc} -E" (eval "$cpp $tmpfile.c >/dev/null") 2>$tmpfile.out Tavis Ormandy proposed the following patch, which avoids using mktemp to be more portable, by creating a directory into which shtool can do its dirty tricks. -- Thierry Carrez (Koon) Gentoo Linux Security
> Thierry Carrez wrote: > > Eric Romang reported a tempfile-handling issue in shtool, see : > > http://www.zataz.net/adviso/shtool-05252005.txt > > I had a closer look and found more tmpfile vulnerabilities in shtool : This is where multiple disclosures/bugs get fun for CVE. Continue to use CAN-2005-1751 for the .shtool.$$ issue discovered and published by Romang. However, use CAN-2005-1759 for the Gentoo-discovered variants. - Steve _______________________________________________ Vendor Security mailing list
Michal Cihar is leaving SuSE, I am new maintainer of php.
fixed and submited following packages: mod_php4 for sles8, 8.2, 9.0 php4 for 9.1, SLES9, 9.2, 9.3, stable php5 for 9.3 (for stable will be later)
please fix only pacvkages where the problem will exist on the users side. if shtool is just used for building a fix is not necessary for older products.
phpize (the script which users use to build php extension modules on their system) checks for shtool being present, and puts it in to the configure script generated. % phpize Configuring for: PHP Api Version: 20020918 Zend Module Api No: 20020429 Zend Extension Api No: 20021010 /usr/share/aclocal/gtkextra.m4:8: warning: underquoted definition of AM_PATH_GTKEXTRA run info '(automake)Extending aclocal' or see http://sources.redhat.com/automake/automake.html#Extending%20aclocal /usr/local/share/aclocal/gtkextra.m4:8: warning: underquoted definition of AM_PATH_GTKEXTRA % grep -r shtool . | grep -v "^./build/shtool" ./acinclude.m4: $php_shtool mkdir -p $BUILD_DIR ./Makefile.global:mkinstalldirs = $(top_srcdir)/build/shtool mkdir -p ./Makefile.global:INSTALL = $(top_srcdir)/build/shtool install -c ./ltmain.sh: # Allow the use of GNU shtool's install command. ./ltmain.sh: $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then ./autom4te.cache/output.0: elif test -f $ac_dir/shtool; then ./autom4te.cache/output.0: ac_install_sh="$ac_aux_dir/shtool install -c" ./autom4te.cache/output.0: $php_shtool mkdir -p $BUILD_DIR ./autom4te.cache/output.1: elif test -f $ac_dir/shtool; then ./autom4te.cache/output.1: ac_install_sh="$ac_aux_dir/shtool install -c" ./autom4te.cache/output.1: $php_shtool mkdir -p $BUILD_DIR ./configure: elif test -f $ac_dir/shtool; then ./configure: ac_install_sh="$ac_aux_dir/shtool install -c" ./configure: $php_shtool mkdir -p $BUILD_DIR The used actions ("mkdir" and "install") don't seem to involve temp file creation in /tmp, though, do they?
Thierry Carrez wrote: > Eric Romang reported a tempfile-handling issue in shtool, see : > http://www.zataz.net/adviso/shtool-05252005.txt > > Our team proposed the attached patch, which was sent by the reporter to > upstream. > > The problem is that shtool code is copied in many other packages, > including (but probably not limited to) PHP, OpenLDAP and ocaml-mysql. Small follow-up : Tavis Ormandy inspected the PHP and OpenLDAP shtool calls and concluded that they are using only safe functions. ocaml-mysql, though, makes use of affected code. We were unsuccessful getting feedback from shtool (or ocaml-mysql) upstream. Our GLSA should go out sometime in the next 24 hours. -- Thierry Carrez (Koon) Gentoo Linux Security
Joerg, can you have a look if this really affects the ocaml code we ship. I doubt it...
> We were unsuccessful getting feedback from shtool (or ocaml-mysql) > upstream. Our GLSA should go out sometime in the next 24 hours. Sorry, the mails to rse@gnu.org have not reached me as GNU seem to have accidently destroyed my mail forwarding and the bug-shtool@gnu.org mail were filed to my SPAM folder. I've today fixed the issue with GNU shtool 2.0.2 and we're also rolling a mass of OpenPKG update packages today. Attached you find my official patch for this issue: shtool.src.diff is against the GNU shtool sources, shtool.gen.diff is against a generated "shtool" script as of version 2.0.1. Ralf S. Engelschall rse@engelschall.com www.engelschall.com [-- Anhang #2: shtool.src.diff --]
Created attachment 39274 [details] shtool.gen.diff
Created attachment 39275 [details] shtool.src.diff
will be fixed in stable (not for old)
CVE-2005-1759: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)