Date: Thu, 19 Aug 1999 21:42:15 +0200
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Insecure use of file in /tmp by trn
--Kynn+LdAwU9N+JqL
Content-Type: text/plain; charset=us-ascii
Richard Kettlewell <rjk@sfere.greenend.org.uk> has reported a security
problem with trn. Trn comes with a newsgroups shell script that uses
a hardcoded filename in /tmp as temporary storage. As you all know,
this could be exploited to overwrite arbitrary files. If the file
already exists as symbolic link to users files they will be
overwritten.
This was not intentional by the author, he tried to use tempfile(1) to
create the temporary filename. However, due to a thinko, the name was
hardcoded into the script.
I propose this patch against version 3.6.
diff -u -Nur --exclude CVS orig/trn-3.6/newsgroups.SH trn-3.6/newsgroups.SH
--- orig/trn-3.6/newsgroups.SH Thu Aug 19 12:05:40 1999
+++ trn-3.6/newsgroups.SH Thu Aug 19 12:04:59 1999
@@ -33,7 +33,7 @@
#NORMAL~*) active=\`$filexp \$active\` ;;
#NORMALesac
#NNTP
-#NNTPactive=`tempfile -p active` #"/tmp/active.\$\$"
+#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"
#NNTPrnlib=$privlib
#NNTPcase \$rnlib in
#NNTP~*) rnlib=\`$filexp \$rnlib\` ;;
Regards,
Joey
--
Debian GNU/Linux . Security Managers . security@debian.org
debian-security-announce@lists.debian.org
Christian Hudon . Wichert Akkerman . Martin Schulze
<chrish@debian.org> . <wakkerma@debian.org> . <joey@debian.org>
--Kynn+LdAwU9N+JqL
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
iQCVAwUBN7xeFxRNm5Suj3z1AQGJ7AQAjhuZEKJgJ6II/gTnD09HI8FXyCIwMz3E
oxfQ77qSYl20vQzPvNNiv8QXjdvTATLnyj6QCdvtYI3DX3kEDuci90DoR8kvhPT9
H05sXsL84IxffAn6T+pGZ0cxjzy7Qd1AO2NYVSLQrOmES2DgDKKSD3YafjwxfpUG
PpiiJyBuzIM=
=03W+
-----END PGP SIGNATURE-----
--Kynn+LdAwU9N+JqL--
