Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 154991 - sharutils CAN-2005-0990 unsecure temp file usage
Summary: sharutils CAN-2005-0990 unsecure temp file usage
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: sharutils
Version: fc2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: LEGACY, 1, rh90, rh73, 2
Depends On: 154051
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-15 14:14 UTC by Matthew Miller
Modified: 2007-04-18 17:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-10 21:27:20 UTC


Attachments (Terms of Use)

Description Matthew Miller 2005-04-15 14:14:06 UTC
+++ This bug was initially created as a clone of Bug #154051 +++
+++ This bug was initially created as a clone of Bug #154049 +++

The way sharutils handles temporary files is insecure (as reported by the Debian
BTS):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=302412

The Debian bug contains a patch for this issue.

--------------------------------------------------------------------------

Looks like this update missed the FC2 cutoff -- cloning into Fedora Legacy.

Red Hat folks: is the sharutils-4.2.1-18.2.FC2 package available anywhere? Thanks!

Comment 1 Marc Deslauriers 2005-04-16 14:46:53 UTC
We must make sure CAN-2004-1772 and CAN-2004-1773 are fixed as well.


Comment 2 Marc Deslauriers 2005-04-17 19:02:14 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated sharutils packages to QA:

CAN-2004-1772 and CAN-2004-1773 were already fixed by the previous releases.

* Sun Apr 17 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.2.1-18.2.FC2.legacy
- - Added security fix for CAN-2005-0990

db20b5b266606ea3be47b8949e3c9d0521eed447 
7.3/sharutils-4.2.1-12.7.x.1.legacy.i386.rpm
912ccce0d30fd6d204dcf4b31a9669327b45db70 
7.3/sharutils-4.2.1-12.7.x.1.legacy.src.rpm
be09a817e162bf805020e6d4fa472d97e947fda4  9/sharutils-4.2.1-16.9.2.legacy.i386.rpm
26714a4f61079b052abc06bb133fd139bd30e4df  9/sharutils-4.2.1-16.9.2.legacy.src.rpm
7d4e573758b23331ce897e443d184a00e2bedfad  1/sharutils-4.2.1-17.3.legacy.i386.rpm
df61b5902ef81dda6d88070f9b7a6d70c084ee37  1/sharutils-4.2.1-17.3.legacy.src.rpm
c8230aa4bb70a49e570ba555be14f6b6c30df8d6  2/sharutils-4.2.1-18.2.FC2.legacy.i386.rpm
3b9afd8a6af04756abf245c76608d8aa376ff707  2/sharutils-4.2.1-18.2.FC2.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/sharutils-4.2.1-12.7.x.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/sharutils-4.2.1-12.7.x.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/sharutils-4.2.1-16.9.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/sharutils-4.2.1-16.9.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/sharutils-4.2.1-17.3.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/sharutils-4.2.1-17.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/sharutils-4.2.1-18.2.FC2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/sharutils-4.2.1-18.2.FC2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCYrJsLMAs/0C4zNoRAnXHAJ9IYlmZimvtdRC1gM1VhmBL2O2tBwCfa71S
7DIbk4ouW2TJqNOKkADaj6M=
=w2gp
-----END PGP SIGNATURE-----


Comment 3 Ngo Than 2005-04-18 15:20:20 UTC
You will find the sharutils-4.2.1-18.2.FC2 srpm on tp://people.redhat.com/than/fc2

Comment 4 Marc Deslauriers 2005-04-18 22:48:29 UTC
This bug must go through the FL QA process...

Comment 5 Pekka Savola 2005-04-20 18:45:57 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:

 - source integrity good
 - patch verified to come from debian
 - spec file changes minimal

+PUBLISH RHL73,RHL9,FC1,FC2

912ccce0d30fd6d204dcf4b31a9669327b45db70  sharutils-4.2.1-12.7.x.1.legacy.src.rpm
26714a4f61079b052abc06bb133fd139bd30e4df  sharutils-4.2.1-16.9.2.legacy.src.rpm
df61b5902ef81dda6d88070f9b7a6d70c084ee37  sharutils-4.2.1-17.3.legacy.src.rpm
3b9afd8a6af04756abf245c76608d8aa376ff707  sharutils-4.2.1-18.2.FC2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCZqMsGHbTkzxSL7QRApFtAJ47pdG4qvkb9FXKAFE+ledZ6ub+sgCfcbwh
WxVMHuAnK4u+bSxzX96WvWk=
=x+RO
-----END PGP SIGNATURE-----


Comment 6 Michal Jaegermann 2005-05-01 00:22:11 UTC
The same patch is also used in FC3 sources (which caught up recently with
other security patch present in Legacy sources from October last year).
This should be a "no brainer" publish.

Comment 7 Marc Deslauriers 2005-05-02 12:05:41 UTC
Packages were pushed to updates-testing

Comment 8 Tom Yates 2005-05-02 14:59:44 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

00132d8850d0db03c6adae00ecece7c99de20223 sharutils-4.2.1-16.9.2.legacy.i386.rpm

installs OK.  if i read the debian report aright, the bug specifically
affects the unshar command, so:

[madhatta@www foo]$ sha1sum fred
6d89a576fc098afae3dd5a40531c2f34ffeabcf0  fred
[madhatta@www foo]$ shar fred > fred.shar
shar: Saving fred (text)
[madhatta@www foo]$ rm fred
[madhatta@www foo]$ unshar fred.shar
/home/madhatta/tmp/foo/fred.shar:
x - creating lock directory
x - extracting fred (text)
[madhatta@www foo]$ sha1sum fred
6d89a576fc098afae3dd5a40531c2f34ffeabcf0  fred
[madhatta@www foo]$

looks like unshar works, at least on a trivial case.  i don't really use it
much, so can't give it thorough workout (sorry).

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCdkAWePtvKV31zw4RAmC/AKCOColeJs1b4sK6PP8JpR0GUyg8nACbBbzd
6RdlTomn3HzjiPjC/3cEL0s=
=Y0wn
-----END PGP SIGNATURE-----


Comment 9 Pekka Savola 2005-05-03 10:38:44 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA on RHL73:
 
I created a shar file and unsharred it fine.
 
I didn't manage to see anything interesting when I straced 'unshar
archive.shar' but when I straced 'sh ./archive.shar', I did notice a temp
file was being created with a reasonable randomness, so this should be OK.
 
[pid  4889] open("/tmp/sh-thd-2963738994",
O_WRONLY|O_CREAT|O_TRUNC|O_EXCL|O_LARGEFILE, 0600) = 3
[pid  4889] open("/tmp/sh-thd-2963738994", O_RDONLY|O_LARGEFILE) = 4
 
+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCd1SDGHbTkzxSL7QRAr/ZAKCl2pm0O5nPC/qCaXuiv72HJEtIgwCggoMq
zDMbAaOFGMZ6zjlrsBBwVMg=
=prix
-----END PGP SIGNATURE-----


Comment 10 Mikhail Koshelev 2005-05-04 09:31:21 UTC
RH73 package in updates (sharutils-4.2.1-12.7.x.legacy.i386.rpm) wins version
comparision with new package in updates-testing
(sharutils-4.2.1-12.7.x.1.legacy.i386.rpm).

$ rpmver -v 4.2.1-12.7.x.1.legacy 4.2.1-12.7.x.legacy
RPM version 4.2.1-12.7.x.1.legacy is lesser than version 4.2.1-12.7.x.legacy.

Version bump is needed.


Comment 11 Marc Deslauriers 2005-05-06 02:07:26 UTC
Version bump was done on rh73 packages in updates-testing.

Comment 12 Pekka Savola 2005-06-16 12:42:09 UTC
Two verifys, timeout in 2 weeks.

Comment 13 Pekka Savola 2005-07-01 18:39:52 UTC
Timeout over, to be released.

Comment 14 Marc Deslauriers 2005-07-10 21:27:20 UTC
Packages were released to updates.


Note You need to log in before you can comment on or make changes to this bug.