Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 94057

Summary: net-nds/openldap includes tempfile vulnerable shtool
Product: Gentoo Security Reporter: Romang <zataz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: normal CC: robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A3 [ebuild+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 93782    
Attachments:
Description Flags
fixes the tmpfile handling of shtool none

Description Romang 2005-05-26 03:34:29 UTC 
OpenLDAP aslo include shtool in source code.

I contact upstream.

Regards.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-05-26 04:44:49 UTC 
Eric, as usual, please forward patch to upstream if not already done...

Robin, please apply patch from bug 93782 to the included shtool in openldap and
bump...
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 03:44:12 UTC 
Hmm we should wait for a more complete patch. Stay tuned...
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-05-31 09:15:52 UTC 
Robin, please use attachment 60117 [details, diff], which contains a better patch
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 06:27:42 UTC 
Robin, please apply patch :)
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-06-09 14:15:05 UTC 
Created attachment 60947 [details, diff]
fixes the tmpfile handling of shtool

should apply cleanly to both 2.1.30-r4 and 2.2.26-r2.
Based on http://bugs.gentoo.org/attachment.cgi?id=60117

Note: the lines quoted under this could not be applied to openldap's shtool,
because this function, nor similar code, are implemented there. So non-existent
code can't mess with tempfiles and doesn't need to be patched, right ;)

----------------------
@@ -188,7 +194,7 @@
 shtool_exit () {
     rc="$1"
     if [ ".$gen_tmpfile" = .yes ]; then
-	 rm -f $tmpfile >/dev/null 2>&1 || true
+	 rm -fr "$tmpdir/.shtool.$$" >/dev/null 2>&1 || true
     fi
     exit $rc
 }
----------------------
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 00:30:20 UTC 
It's not that easy. The unpatched code is the adaptation of the tmpfile cleanup
code for the patched version. If you patch the rest (using a directory for
tmpfiles) and you don't adapt the cleanup (remove a directory rather than
individual file) you may have a problem... I'll have a look to doublecheck
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-10 05:08:02 UTC 
I've had a look at the package, AFAICT the included shtool is only used for the 
`echo` and `install` functions, both of these routines set gen_tmpfile=no. So 
although they do contain the vulnerable sections, they are effectively dead 
code.

I think we can safely ignore this issue in ldap, patching the dead code will 
just make more work for the maintainers for no gain -> WONTFIX.