OpenLDAP aslo include shtool in source code. I contact upstream. Regards. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Eric, as usual, please forward patch to upstream if not already done... Robin, please apply patch from bug 93782 to the included shtool in openldap and bump...
Hmm we should wait for a more complete patch. Stay tuned...
Robin, please use attachment 60117 [details, diff], which contains a better patch
Robin, please apply patch :)
Created attachment 60947 [details, diff] fixes the tmpfile handling of shtool should apply cleanly to both 2.1.30-r4 and 2.2.26-r2. Based on http://bugs.gentoo.org/attachment.cgi?id=60117 Note: the lines quoted under this could not be applied to openldap's shtool, because this function, nor similar code, are implemented there. So non-existent code can't mess with tempfiles and doesn't need to be patched, right ;) ---------------------- @@ -188,7 +194,7 @@ shtool_exit () { rc="$1" if [ ".$gen_tmpfile" = .yes ]; then - rm -f $tmpfile >/dev/null 2>&1 || true + rm -fr "$tmpdir/.shtool.$$" >/dev/null 2>&1 || true fi exit $rc } ----------------------
It's not that easy. The unpatched code is the adaptation of the tmpfile cleanup code for the patched version. If you patch the rest (using a directory for tmpfiles) and you don't adapt the cleanup (remove a directory rather than individual file) you may have a problem... I'll have a look to doublecheck
I've had a look at the package, AFAICT the included shtool is only used for the `echo` and `install` functions, both of these routines set gen_tmpfile=no. So although they do contain the vulnerable sections, they are effectively dead code. I think we can safely ignore this issue in ldap, patching the dead code will just make more work for the maintainers for no gain -> WONTFIX.
