[Secure-testing-team] Bug#334350: fix from Gentoo for "flexbackup default config insecure temporary file creation"

Alec Berryman alec at thened.net
Mon May 15 15:01:24 UTC 2006 

Package: flexbackup
Followup-For: Bug #334350

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gentoo has two patches for this issue.  The first [1], attached to bug
#105000 [2], is supposedly from Debian, but was apparently never
uploaded.  The patch reportedly breaks remote backups [3], though, and
bug #116510 [4] has a patch [5] that fixes both the original
vulnerability and the subsequent issues with remote backup.  The second
patch applies cleanly to Debian's version, but I have not tested it.

The second patch is attached unmodified.

[1] http://bugs.gentoo.org/attachment.cgi?id=69694&action=view
[2] http://bugs.gentoo.org/show_bug.cgi?id=105000
[3] http://bugs.gentoo.org/show_bug.cgi?id=105000#c15
[4] http://bugs.gentoo.org/show_bug.cgi?id=116510
[5] http://bugs.gentoo.org/attachment.cgi?id=86773&action=view


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEaJfEAud/2YgchcQRAgvBAJ94NMAlnvYNvVNykdoTB8ftmcfmbACdHBsg
8TsMQ1YhxSSi5H+TAcSSYXQ=
=M/2d
-----END PGP SIGNATURE-----
-------------- next part --------------
--- flexbackup	2003-10-10 07:12:09.000000000 -0700
+++ /usr/bin/flexbackup	2006-05-14 13:14:54.000000000 -0700
@@ -269,6 +269,7 @@
     untie(%::index);
 }
 
+system ('rm', '-rf', $cfg::tmpdir);
 exit(0);
 
 ######################################################################
@@ -811,6 +812,11 @@
 	($remove, @cmds) = &backup_filelist($label, $localdir, $title, $level, $remote);
     }
 
+	if(defined($remote)) {
+		# create our temporary directory as first remote command
+		unshift(@cmds, &maybe_remote_cmd("$::path{mkdir} -p $cfg::tmpdir", $remote));
+	}
+
     # Nuke any tmp files used in the above routines
     if ($remove ne '') {
 	push(@cmds, &maybe_remote_cmd("$::path{rm} -f $remove", $remote));
@@ -827,6 +833,11 @@
 	    push(@cmds, &maybe_remote_cmd("$::path{rm} -f $pkglist", $remote));
 	}
     }
+	
+	if(defined($remote)) {
+		# remove temporary directory as our last remote command
+		push(@cmds, &maybe_remote_cmd("$::path{rm} -rf $cfg::tmpdir", $remote));
+	}
 
     # Strip multiple spaces
     foreach my $cmd (@cmds) {
@@ -2750,8 +2761,9 @@
     $::path{'find'} = &checkinpath('find');
     $::path{'dd'} = &checkinpath('dd');
     $::path{'printf'} = &checkinpath('printf');
+    $::path{'mkdir'} = &checkinpath('mkdir');
 
-    push(@::remoteprogs,($::path{'touch'},$::path{'rm'},$::path{'find'},$::path{'printf'}));
+    push(@::remoteprogs,($::path{'touch'},$::path{'rm'},$::path{'find'},$::path{'printf'},$::path{'mkdir'}));
 
     # Check device (or dir)
     $::ftape = 0;
@@ -3442,6 +3454,15 @@
 	push(@::errors,"\$tmpdir $cfg::tmpdir is not writable");
     }
 
+	$cfg::hostname = `hostname`;
+	chomp($cfg::hostname);
+
+	# Use a subdirectory of the user-specified directory as our tmpdir
+	# Also note that we make it closer to globally unique as we sometimes
+	# use this variable for remote systems, so PID isn't enough
+    $cfg::tmpdir = $cfg::tmpdir .'/flexbackup.'.$$.'.'.$cfg::hostname;
+    mkdir ($cfg::tmpdir) || die "Can't create temporary directory, $!";
+
     # Levels
     if (defined($::opt{'level'}) and
 	(defined($::opt{'incremental'}) or
@@ -5236,8 +5257,8 @@
     # Create a script which tests the buffer program
     open(SCR,"> $tmp_script") || die;
     print SCR "#!/bin/sh\n";
-    print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
-    print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
+    print SCR "tmp_data=\`tempfile\`\n";
+    print SCR "tmp_err=\`tempfile\`\n";
     print SCR "echo testme > \$tmp_data\n";
     print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
     print SCR "res=\$?\n";

More information about the Secure-testing-team mailing list