[Secure-testing-team] Bug#498901: Unsecure use of temporary files

Sun Sep 14 11:45:28 UTC 2008

Package: smsclient
Version: 2.0.8z-10
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224

Hi Jonathan,

you are using the process id in a shell script to create a "random"
temporary file (in contrib/mail2sms-shell/mail2sms.sh). Although this is
just documentation users could simply copy and paste the script which
would lead to a security issue on their system. I'd appreciate if you
fixed that.
The patch below tries to solve that problem and by the way fixes your
bashism bug #489661.

Please test thoroughly and upload ASAP if appropriate.

Cheers,
Hauke

*** bashandtmp.patch
diff -Naur smsclient-2.0.8z~/contrib/mail2sms-shell/mail2sms.sh smsclient-2.0.8z/contrib/mail2sms-shell/mail2sms.sh
- --- smsclient-2.0.8z~/contrib/mail2sms-shell/mail2sms.sh	2008-09-14 13:34:37.000000000 +0200
+++ smsclient-2.0.8z/contrib/mail2sms-shell/mail2sms.sh	2008-09-14 13:39:16.000000000 +0200
@@ -8,12 +8,14 @@
 # By Andy Hawkins (andy at gently.demon.co.uk)
 
 
- -/usr/bin/cp /dev/null /tmp/header.$$
+tmpfile=`mktemp header.XXXXXXXXXX`
+tmpfile2=`mktemp body.XXXXXXXXXX`
+/usr/bin/cp /dev/null $tmpfile
 ELINE=0
 while [ $ELINE -lt 3 ]
 do
   read LINE
- -  echo "$LINE" >> /tmp/header.$$
+  echo "$LINE" >> $tmpfile
   if [ "$LINE" = "" ]
   then
     ELINE=3
@@ -22,18 +24,18 @@
   fi
 done
 
- -SENDER=`head -n 1 /tmp/header.$$ | awk '{print $2}'`
- -TARGET=`grep ^Subject: /tmp/header.$$ | awk '{print $2}'`
+SENDER=`head -n 1 $tmpfile | awk '{print $2}'`
+TARGET=`grep ^Subject: $tmpfile | awk '{print $2}'`
 
 
 ELINE=0
 while [ $ELINE -lt 2 ]
 do
   read LINE
- -  echo "$LINE" >> /tmp/body.$$
+  echo "$LINE" >> $tmpfile2
   if [ "$LINE" = "" ]
   then
- -    let ELINE=ELINE+1
+    ELINE=$((ELINE+1))
   else
     ELINE=0
   fi
@@ -45,7 +47,7 @@
 SENT=0
 while [ $RETRY -gt 1 ] && [ $SENT -eq 0 ]
 do
- -  MSG=`cat /tmp/body.$$`
+  MSG=`cat $tmpfile2`
   /usr/bin/sms_client $TARGET "$MSG" >> /tmp/sms.log
   case $? in
    0) /bin/mailx -s "SMS success to $TARGET" $SENDER < /dev/null 
@@ -63,7 +65,7 @@
       SENT=1;;
    *)
       sleep 10
- -      let RETRY=RETRY-1;;
+      RETRY=$((RETRY-1));;
   esac
 done
 
@@ -74,5 +76,5 @@
 exit
 fi
 
- -rm /tmp/header.$$
- -rm /tmp/body.$$
+rm $tmpfile
+rm $tmpfile2


- -- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iFYEARELAAYFAkjM+VQACgkQGOp6XeD8cQ0/yQDePghgg3MczNy3N68k6vXIyHrd
1NZNuKQ65Om2BwDfWjxEQolj733VY9bKH1pFqPk1zUQGUyGiEqGbUA==
=Jpnr
-----END PGP SIGNATURE-----



