Richard Kettlewell <[EMAIL PROTECTED]> has reported a security
problem with trn. Trn comes with a newsgroups shell script that uses
a hardcoded filename in /tmp as temporary storage. As you all know,
this could be exploited to overwrite arbitrary files. If the file
already exists as symbolic link to users files they will be
overwritten.
This was not intentional by the author, he tried to use tempfile(1) to
create the temporary filename. However, due to a thinko, the name was
hardcoded into the script.
I propose this patch against version 3.6.
diff -u -Nur --exclude CVS orig/trn-3.6/newsgroups.SH trn-3.6/newsgroups.SH
--- orig/trn-3.6/newsgroups.SH Thu Aug 19 12:05:40 1999
+++ trn-3.6/newsgroups.SH Thu Aug 19 12:04:59 1999
@@ -33,7 +33,7 @@
#NORMAL~*) active=\`$filexp \$active\` ;;
#NORMALesac
#NNTP
-#NNTPactive=`tempfile -p active` #"/tmp/active.\$\$"
+#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"
#NNTPrnlib=$privlib
#NNTPcase \$rnlib in
#NNTP~*) rnlib=\`$filexp \$rnlib\` ;;
Regards,
Joey
--
Debian GNU/Linux . Security Managers . [EMAIL PROTECTED]
[EMAIL PROTECTED]
Christian Hudon . Wichert Akkerman . Martin Schulze
<[EMAIL PROTECTED]> . <[EMAIL PROTECTED]> . <[EMAIL PROTECTED]>
PGP signature
