Summary: | net-nds/openldap includes tempfile vulnerable shtool | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED WONTFIX | ||||||
Severity: | normal | CC: | robbat2 | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | A3 [ebuild+] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 93782 | ||||||
Attachments: |
|
Description
Romang
2005-05-26 03:34:29 UTC
Eric, as usual, please forward patch to upstream if not already done... Robin, please apply patch from bug 93782 to the included shtool in openldap and bump... Hmm we should wait for a more complete patch. Stay tuned... Robin, please use attachment 60117 [details, diff], which contains a better patch
Robin, please apply patch :) Created attachment 60947 [details, diff] fixes the tmpfile handling of shtool should apply cleanly to both 2.1.30-r4 and 2.2.26-r2. Based on http://bugs.gentoo.org/attachment.cgi?id=60117 Note: the lines quoted under this could not be applied to openldap's shtool, because this function, nor similar code, are implemented there. So non-existent code can't mess with tempfiles and doesn't need to be patched, right ;) ---------------------- @@ -188,7 +194,7 @@ shtool_exit () { rc="$1" if [ ".$gen_tmpfile" = .yes ]; then - rm -f $tmpfile >/dev/null 2>&1 || true + rm -fr "$tmpdir/.shtool.$$" >/dev/null 2>&1 || true fi exit $rc } ---------------------- It's not that easy. The unpatched code is the adaptation of the tmpfile cleanup code for the patched version. If you patch the rest (using a directory for tmpfiles) and you don't adapt the cleanup (remove a directory rather than individual file) you may have a problem... I'll have a look to doublecheck I've had a look at the package, AFAICT the included shtool is only used for the `echo` and `install` functions, both of these routines set gen_tmpfile=no. So although they do contain the vulnerable sections, they are effectively dead code. I think we can safely ignore this issue in ldap, patching the dead code will just make more work for the maintainers for no gain -> WONTFIX. |