The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. The uudecode utility would create an output file without checking to see if it was about to write to a symlink or a pipe. If a user uses uudecode to extract data into open shared directories, such as /tmp, this vulnerability could be used by a local attacker to overwrite files or lead to privilege escalation.
Proposed patches: --- sharutils-4.2.1/src/uudecode.c.orig Sat Apr 13 01:26:31 2002 +++ sharutils-4.2.1/src/uudecode.c Sat Apr 13 01:30:32 2002 @@ -81,6 +81,9 @@ /* Single character decode. */ #define DEC(Char) (((Char) - ' ') & 077) +#if !defined S_ISLNK && defined S_IFLNK +# define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK) +#endif static int read_stduu (inname) @@ -279,6 +282,7 @@ char buf[2 * BUFSIZ]; char *outname; int do_base64 = 0; + struct stat attr; /* Search for header line. */ @@ -337,6 +341,23 @@ } } + /* Check out file if it exists */ + if (strcmp (outname, "/dev/stdout") != 0 && strcmp (outname, "-") != 0 + && !access(outname, F_OK)) { + if (lstat(outname, &attr) == -1) { + error (0, errno, _("cannot access %s"), outname); + return 1; + } + if (S_ISFIFO(attr.st_mode)){ + error (0, errno, _("denied writing FIFO (%s)"), outname); + return 1; + } + if (S_ISLNK(attr.st_mode)) { + error (0, errno, _("not following symlink (%s)"), outname); + return 1; + } + } + /* Create output file and set mode. */ if (strcmp (outname, "/dev/stdout") != 0 && strcmp (outname, "-") != 0 --- sharutils-4.2.1/src/mailshar.in.orig Fri May 11 21:45:29 2001 +++ sharutils-4.2.1/src/mailshar.in Fri May 11 21:50:40 2001 @@ -33,7 +33,11 @@ If none of -MTBzZ are given, -z is automatically selected if *none* of the FILEs have an .arc, .exz, .gif, .z, .gz, .Z, .zip or .zoo suffix." -temp=/usr/tmp/$$.shar +temp=`mktemp -q /tmp/$0.XXXXXX` +if [ $? -ne 0 ]; then + echo "$0: Can't create temp file, exiting..." + exit 1 +fi ### Decode the options.