Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 93782

Summary: dev-util/shtool <= 2.0.1 insecure temporary file creation (CAN-2005-175{1-9})
Product: Gentoo Security Reporter: Romang <zataz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ka0ttic, taviso, tigger
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard: B3 [glsa] koon
Package list:
Runtime testing required: ---
Bug Depends on: 93784, 94057, 94063    
Bug Blocks:    
Attachments:
Description Flags
shtool patch none

Description Romang 2005-05-24 03:05:13 UTC
Hello,

dev-util/shtool <= 2.0.1

572 #   establish a temporary file on request
573 if [ ".$gen_tmpfile" = .yes ]; then
574     if [ ".$TMPDIR" != . ]; then
575         tmpdir="$TMPDIR"
576     elif [ ".$TEMPDIR" != . ]; then
577         tmpdir="$TEMPDIR"
578     else
579         tmpdir="/tmp"
580     fi
581     tmpfile="$tmpdir/.shtool.$$"
582     rm -f $tmpfile >/dev/null 2>&1
583     touch $tmpfile
584     chmod 600 $tmpfile
585 fi

597 #   cleanup procedure
598 shtool_exit () {
599     rc="$1"
600     if [ ".$gen_tmpfile" = .yes ]; then
601         rm -f $tmpfile >/dev/null 2>&1 || true
602     fi
603     exit $rc
604 }

Look at line 581 and 582, symlink attack could delete arbitrary files.
The gen_tmpfile is used for tarball, subst, scpp ant path actions.

I think more issues could be found with this insecure temporary file creation

package ocan-mysql use also shtool, maybe more others packages use also shtool.

Regards.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-05-24 05:21:09 UTC
Romang, did you try to contact upstream and negociate coordinated disclosure ?
Comment 2 Romang 2005-05-24 05:58:40 UTC
Hello,

I have send an email to upstream.

I give him the link to this bug.

Waiting for reply.
Comment 3 Romang 2005-05-24 06:23:17 UTC
Hello,

<rse@gnu.org>: host mx10.gnu.org[199.232.76.166] said: 550 unknown user (in
    reply to RCPT TO command)

No more upstream avaible.

Regards.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-24 09:55:14 UTC
taviso/tigger will one of you take a look and confirm(/patch)? Also CC'ing 
maintainer. 
Comment 5 rob holland (RETIRED) gentoo-dev 2005-05-24 10:10:38 UTC
confirmed as a abusable.

suggested fix:

-     tmpfile="$tmpdir/.shtool.$$"
-     rm -f $tmpfile >/dev/null 2>&1
-     touch $tmpfile
-     chmod 600 $tmpfile
+     tmpfile=`mktemp "$tmpdir/.shtool.XXXXXX"`
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-24 10:21:22 UTC
Aaron please provide an updated ebuild. 
Comment 7 rob holland (RETIRED) gentoo-dev 2005-05-24 10:23:47 UTC
re-reading, don't know how you'd get a file deletion or anything scary out of
this. the rm -r $tmpfile would delete the symlink, not the target of it. So,
doesn't look to be abusable. Sorry for misinformation.
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-24 10:45:03 UTC
You were right first time, the rm then touch is a non-atomic operation, so 
there's a race condition.

As the filename is easily predictable (pid-based), this is exploitable (in cases 
like this you can cause lots of system load to expand the window even more, 
using mktemp also contains a race condition, but to have any chance of 
exploiting it you must create millions of files within a very short period 
(microseconds?), so the attack is only theoretical, not practical).
Comment 9 Aaron Walker (RETIRED) gentoo-dev 2005-05-24 16:03:00 UTC
2.0.1-r1 in CVS; x86 stable. CC'd archs please stable.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-05-25 00:36:22 UTC
Unccing arches as they can access the bug as the alias.
We should cc individual maintainers instead, until this is made public by reporter ?
Comment 11 Romang 2005-05-25 02:57:48 UTC
Hello,

Here under other non related and gentoo related packages using shtool :

- SellaNMS (http://www.digitalgenesis.com/) - non gentoo related
- ipcmp (http://www.digitalgenesis.com/) - non gentoo related
- OOPSE ( http://oopse.org/) - non gentoo related
- and others.

Regards.
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-25 07:23:01 UTC
sparc done.
Comment 13 Romang 2005-05-25 10:46:10 UTC
Hello,

Adviso on http://www.zataz.net/adviso/shtool-05252005.txt

Thxs to Gentoo Security Team !

Regards.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-05-26 03:07:30 UTC
Advisory is public.
ia64: please test and mark 2.0.1-r1 stable.
Ready for GLSA vote, maybe we should wait for the other shtool-including
packages to be fixed.
Comment 15 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-26 03:33:55 UTC
I would vote YES, as there is precedent for sending a glsa for this class of 
vulnerability (eg, 200503-14).
Comment 16 Aaron Walker (RETIRED) gentoo-dev 2005-05-26 04:56:53 UTC
Also, forgot to mention, I did notify upstream via bug-shtool@gnu.org.  Didn't
get a return on that one, so I'm assuming it went through ok.

As far as packages using shtool, grep'ing the tree only turns up
net-nds/openldap and dev-libs/mm.  Obviously there are more than that though. 
Just not sure how we'd go about finding out.
Comment 17 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-26 06:47:46 UTC
Stable on ia64.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-05-27 00:32:27 UTC
Candidate: CAN-2005-1751
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751
Reference: VULNWATCH:20050525 shtool insecure temporary file creation
Reference: MISC:http://www.zataz.net/adviso/shtool-05252005.txt
Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=93782

Race condition in shtool 2.0.1 and earlier allows local users to
create or modify arbitrary files via a symlink attack on the
.shtool.$$ temporary file.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-05-27 07:08:14 UTC
I vote YES for a grouped GLSA with bugs 94063 94057 and 93784.
Comment 20 Matthias Geerdsen (RETIRED) gentoo-dev 2005-05-27 09:03:35 UTC
I agree with Koon on an grouped GLSA.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 03:36:55 UTC
Hmmm... Not sure the patch is sufficient. There are multiple places where
$tmpfile, even created safely, is handled inappropriately :

Race condition :
rm -f $tmpfile >/dev/null 2>&1
touch $tmpfile

Or my personal favorite :
echo >$tmpfile.c "#include <assert.h>"
echo >>$tmpfile.c "Syntax Error"
cpp="${CC-cc} -E"
(eval "$cpp $tmpfile.c >/dev/null") 2>$tmpfile.out

We should definitely have a deeper look in this. And forward more complete
patches upstream.
Comment 22 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-29 12:43:19 UTC
Created attachment 60117 [details, diff]
shtool patch

how about this, he can create whatever files he likes with .c .out or whatever
then. also, mktemp is probably not portable enough for this situation.
Comment 23 Romang 2005-05-29 13:35:05 UTC
Hello,

Send the patch to upstreams.

Regards.
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-05-30 01:05:56 UTC
CAN-2005-1759 for the Gentoo-discovered variants
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-05-31 09:17:04 UTC
Aaron: please bump shtool with latest taviso's patch. It should replace the
original (incomplete) patch.
Comment 26 Aaron Walker (RETIRED) gentoo-dev 2005-05-31 09:50:37 UTC
2.0.1-r2 in cvs. x86 stable. ia64/sparc please re-stable.
Comment 27 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-31 12:54:57 UTC
sparc stable.
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-05-31 13:44:07 UTC
Waiting on bugs 94063 94057 and 93784 for a grouped GLSA.
Comment 29 Romang 2005-05-31 15:05:54 UTC
Hello,

No answers from upstream.

Regards.
Comment 30 Bryan Østergaard (RETIRED) gentoo-dev 2005-06-04 02:10:09 UTC
Stable on ia64.
Comment 31 Geoff 2005-06-11 06:42:13 UTC
php-4.3.11 includes shtool-1.6.2 (at /usr/lib/php/build/shtool)  Not sure
where/when/how it's used, though.
Comment 32 Thierry Carrez (RETIRED) gentoo-dev 2005-06-11 09:27:48 UTC
Geoff: see bug 94063 for shtool/php
Comment 33 Thierry Carrez (RETIRED) gentoo-dev 2005-06-11 10:47:46 UTC
GLSA 200506-08