Bug 66774

Summary:	net-misc/rdist noexec option broken-- looks for a.out, not ELF binaries
Product:	Gentoo Linux	Reporter:	splite <splite-gentoo>
Component:	Current packages	Assignee:	Gentoo TreeCleaner Project <treecleaner>
Status:	RESOLVED FIXED
Severity:	normal	CC:	agriffis, maintainer-needed, security
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	Vote
Package list:		Runtime testing required:	---
Attachments:	patch to rdist-6.1.5-r1.ebuild to fix noexec option, plus bonus stuff patch to rdist-6.1.5-r1.ebuild patch to fix insecure mktemp use; put it in ${FILESDIR}/rdist_mkstemp.patch

Description splite 2004-10-08 08:16:44 UTC

The default Linux config file for rdist still specifies a.out as the executable format.  That essentially breaks the noexec option, as Linux switched to ELF ages ago.  Attached is a patch to fix that.

The patch also makes ssh the default transport if the "crypt" flag is used.  It also fixes the yacc grammer so that bison can again be used.  Finally, it installs the files as group root instead of bin and man.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 splite 2004-10-08 08:17:31 UTC

Created attachment 41367 [details, diff]
patch to rdist-6.1.5-r1.ebuild to fix noexec option, plus bonus stuff

Comment 2 splite 2005-01-20 10:09:02 UTC

Here's a new patch that fixes a couple more problems:  an insecure use of mktemp(3) and a segfault on 64-bit machines while trying to print an error message.  It also changes the mention of a.out in the man page to ELF.

Comment 3 splite 2005-01-20 10:09:58 UTC

Created attachment 49049 [details, diff]
patch to rdist-6.1.5-r1.ebuild

Comment 4 splite 2005-01-20 10:11:39 UTC

Created attachment 49051 [details, diff]
patch to fix insecure mktemp use; put it in ${FILESDIR}/rdist_mkstemp.patch

Comment 5 Alec Warner (RETIRED) archtester

2007-01-22 04:28:37 UTC

This is the only open bug, but dead upstream (alpha release in 2001).  I am unsure if other distros have dropped it yet, but I don't know of anyone still using it.  I haven't tried said patch (or the alpha available from the upstream).

Comment 6 Alec Warner (RETIRED) archtester

2007-01-22 06:51:06 UTC

Security, looks like this package may use mktemp insecurely, can someone please double check for me?  I'd like to punt it in either case, but I want a GLSA if one is necessary.

Thanks.

Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-22 23:50:31 UTC

(In reply to comment #6)
> Security, looks like this package may use mktemp insecurely, can someone please
> double check for me?  I'd like to punt it in either case, but I want a GLSA if
> one is necessary.
> 
> Thanks.
> 

only rdistvf.pl contains a weakness that can empty/override an arbitrary file with the rights of the user calling rdistvf.pl . But that file is never used, AFAIK.

$tmp = "/tmp/rdistfilter.$$";
open(OUTF, "|sort >$tmp") || die "Can not open tmp file.\n";



These two lines are not exploitable:
		(void) mktemp(msgfac->mf_filename);
		if ((msgfac->mf_fptr = fopen(msgfac->mf_filename, "w"))==NULL)
except if someone could create the "mf_filename" file between the mktemp() call and the fopen() call.... hard... But i agree with the patch, the newer version is the good way to handle mktemp.

Comment 8 Jakub Moc (RETIRED) gentoo-dev

2007-06-14 07:12:13 UTC

+1 for removal.

Comment 9 Charlie Shepherd (RETIRED) gentoo-dev

2007-11-04 14:50:27 UTC

Thanks, fixed.