[Secure-testing-team] Bug#488140: checkinstall: Unsafe temp dir creation

[Felipe Sateler]

Package: checkinstall
Version: 1.6.1-6
Severity: grave
Tags: security patch
Justification: user security hole

*** Please type ddyour report below this line ***
Checkinstall (and installwatch) create temporary directories manually
instead of using mktemp, which creates a race condition.

The attached patch changes these into calls to mktemp, which is secure.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-preempt (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages checkinstall depends on:
ii  dpkg-dev                      1.15.0     Debian package development tools
ii  file                          4.24-2     Determines file type using "magic"
ii  findutils                     4.4.0-2    utilities for finding files--find,
ii  libc6                         2.7-12     GNU C Library: Shared libraries

Versions of packages checkinstall recommends:
ii  make                          3.81-5     The GNU version of the "make" util

-- no debconf information
-------------- next part --------------
Index: checkinstall
===================================================================
--- checkinstall	(revision 10000)
+++ checkinstall	(working copy)
@@ -965,16 +965,8 @@
 
 # Find a safe TMP_DIR
 
-TMP_DIR=${BASE_TMP_DIR}/`awk 'BEGIN { srand(); for (i=1;i<22;i++) { a=95; while (a > 90 && a < 97) { a=65+int(50*rand())}; printf("%c", a) } }'`
-[ -e "$TMP_DIR" ] && rm -rf $TMP_DIR
-if [ -e "$TMP_DIR" ]; then 
-   echo
-   echog "My temp dir exists already.\nThis looks like a symlink attack!"
-   echo 
-   echog "*** Aborting"
-   echo
-   exit 1
-fi
+TMP_DIR=`mktemp -q -d -p "${BASE_TMP_DIR}"`
+RETURN=$?
 
 if [ "$TMP_DIR" = "$BASE_TMP_DIR" -o "$TMP_DIR" = "/" ]; then
   echo 
@@ -985,11 +977,6 @@
   exit 1
 fi
 
-
-mkdir $TMP_DIR
-chmod 700 $TMP_DIR
-RETURN=$?
-
 if [ $RETURN -gt 0 ]; then
    echo
    echog "**** Failed to create temp dir! \n**** Do you have write permission for %s? \n\n**** Aborting installation." "$BASE_TMP_DIR"
Index: installwatch-0.7.0beta5/installwatch
===================================================================
--- installwatch-0.7.0beta5/installwatch	(revision 10000)
+++ installwatch-0.7.0beta5/installwatch	(working copy)
@@ -74,31 +74,8 @@
 	local mkt_refdir=$1
 	local mkt_wrkdir=""
 
-	mkt_wrkdir=${BASE_TMP_DIR}/\
-`awk 'BEGIN {\
-	srand();\
-	for (i=1;i<21;i++) {\
-		a=95;\
-		while (a > 90 && a < 97) {\
-			a=65+int(50*rand())\
-		};\
-		printf("%c", a) \
-	}\
-}'`
-	
-	[ -e "${mkt_wrkdir}" ] && rm -rf ${mkt_wrkdir}
-	if [ -e "${mkt_wrkdir}" ]; then 
-		echo
-		echo "Error : My temp dir exists already. This looks like a symlink attack!"
-		echo 
-		echo "*** Aborting ***"
-		echo
-		exit 1
-	fi	
+	mkt_wrkdir=`mktemp -q -d -p ${BASE_TMP_DIR}`
 
-	mkdir ${mkt_wrkdir}
-	chmod 0700 ${mkt_wrkdir}
-
 	eval $mkt_refdir=\$mkt_wrkdir
 }