66774 – net-misc/rdist noexec option broken-- looks for a.out, not ELF binaries

Bug 66774 - net-misc/rdist noexec option broken-- looks for a.out, not ELF binaries

Summary: net-misc/rdist noexec option broken-- looks for a.out, not ELF binaries

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo TreeCleaner Project

URL:
Whiteboard:	Vote
Keywords:

Depends on:
Blocks:

Reported:	2004-10-08 08:16 UTC by splite
Modified:	2007-11-04 14:50 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
patch to rdist-6.1.5-r1.ebuild to fix noexec option, plus bonus stuff (rdist.patch,1.65 KB, patch) 2004-10-08 08:17 UTC, splite	Details \| Diff
patch to rdist-6.1.5-r1.ebuild (rdist.patch,2.31 KB, patch) 2005-01-20 10:09 UTC, splite	Details \| Diff
patch to fix insecure mktemp use; put it in ${FILESDIR}/rdist_mkstemp.patch (rdist_mkstemp.patch,824 bytes, patch) 2005-01-20 10:11 UTC, splite	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description splite 2004-10-08 08:16:44 UTC

The default Linux config file for rdist still specifies a.out as the executable format.  That essentially breaks the noexec option, as Linux switched to ELF ages ago.  Attached is a patch to fix that.

The patch also makes ssh the default transport if the "crypt" flag is used.  It also fixes the yacc grammer so that bison can again be used.  Finally, it installs the files as group root instead of bin and man.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 splite 2004-10-08 08:17:31 UTC

Created attachment 41367 [details, diff]
patch to rdist-6.1.5-r1.ebuild to fix noexec option, plus bonus stuff

Comment 2 splite 2005-01-20 10:09:02 UTC

Here's a new patch that fixes a couple more problems:  an insecure use of mktemp(3) and a segfault on 64-bit machines while trying to print an error message.  It also changes the mention of a.out in the man page to ELF.

Comment 3 splite 2005-01-20 10:09:58 UTC

Created attachment 49049 [details, diff]
patch to rdist-6.1.5-r1.ebuild

Comment 4 splite 2005-01-20 10:11:39 UTC

Created attachment 49051 [details, diff]
patch to fix insecure mktemp use; put it in ${FILESDIR}/rdist_mkstemp.patch

Comment 5 Alec Warner (RETIRED) archtester

2007-01-22 04:28:37 UTC

This is the only open bug, but dead upstream (alpha release in 2001).  I am unsure if other distros have dropped it yet, but I don't know of anyone still using it.  I haven't tried said patch (or the alpha available from the upstream).

Comment 6 Alec Warner (RETIRED) archtester

2007-01-22 06:51:06 UTC

Security, looks like this package may use mktemp insecurely, can someone please double check for me?  I'd like to punt it in either case, but I want a GLSA if one is necessary.

Thanks.

Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-22 23:50:31 UTC

(In reply to comment #6)
> Security, looks like this package may use mktemp insecurely, can someone please
> double check for me?  I'd like to punt it in either case, but I want a GLSA if
> one is necessary.
> 
> Thanks.
> 

only rdistvf.pl contains a weakness that can empty/override an arbitrary file with the rights of the user calling rdistvf.pl . But that file is never used, AFAIK.

$tmp = "/tmp/rdistfilter.$$";
open(OUTF, "|sort >$tmp") || die "Can not open tmp file.\n";



These two lines are not exploitable:
		(void) mktemp(msgfac->mf_filename);
		if ((msgfac->mf_fptr = fopen(msgfac->mf_filename, "w"))==NULL)
except if someone could create the "mf_filename" file between the mktemp() call and the fopen() call.... hard... But i agree with the patch, the newer version is the good way to handle mktemp.

Comment 8 Jakub Moc (RETIRED) gentoo-dev

2007-06-14 07:12:13 UTC

+1 for removal.

Comment 9 Charlie Shepherd (RETIRED) gentoo-dev

2007-11-04 14:50:27 UTC

Thanks, fixed.