Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC
Bug 94057 - net-nds/openldap includes tempfile vulnerable shtool
Summary: net-nds/openldap includes tempfile vulnerable shtool
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [ebuild+]
Depends on:
Blocks: 93782
  Show dependency tree
Reported: 2005-05-26 03:34 UTC by Romang
Modified: 2005-06-10 05:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

fixes the tmpfile handling of shtool (shtool.patch,512 bytes, patch)
2005-06-09 14:15 UTC, Stefan Cornelius (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-05-26 03:34:29 UTC
OpenLDAP aslo include shtool in source code.

I contact upstream.


Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-05-26 04:44:49 UTC
Eric, as usual, please forward patch to upstream if not already done...

Robin, please apply patch from bug 93782 to the included shtool in openldap and
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 03:44:12 UTC
Hmm we should wait for a more complete patch. Stay tuned...
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-05-31 09:15:52 UTC
Robin, please use attachment 60117 [details, diff], which contains a better patch
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 06:27:42 UTC
Robin, please apply patch :)
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-06-09 14:15:05 UTC
Created attachment 60947 [details, diff]
fixes the tmpfile handling of shtool

should apply cleanly to both 2.1.30-r4 and 2.2.26-r2.
Based on

Note: the lines quoted under this could not be applied to openldap's shtool,
because this function, nor similar code, are implemented there. So non-existent
code can't mess with tempfiles and doesn't need to be patched, right ;)

@@ -188,7 +194,7 @@
 shtool_exit () {
     if [ ".$gen_tmpfile" = .yes ]; then
-	 rm -f $tmpfile >/dev/null 2>&1 || true
+	 rm -fr "$tmpdir/.shtool.$$" >/dev/null 2>&1 || true
     exit $rc
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 00:30:20 UTC
It's not that easy. The unpatched code is the adaptation of the tmpfile cleanup
code for the patched version. If you patch the rest (using a directory for
tmpfiles) and you don't adapt the cleanup (remove a directory rather than
individual file) you may have a problem... I'll have a look to doublecheck
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-10 05:08:02 UTC
I've had a look at the package, AFAICT the included shtool is only used for the 
`echo` and `install` functions, both of these routines set gen_tmpfile=no. So 
although they do contain the vulnerable sections, they are effectively dead 

I think we can safely ignore this issue in ldap, patching the dead code will 
just make more work for the maintainers for no gain -> WONTFIX.