Package: apache Version: 1.3.33-2 Priority: grave Tags: security sid sarge Hi, I've found unsafe uses of /tmp in some of Apache's scripts in the source, one of this (check_forensic) is installed in Debian's apache-utils package and IMHO should be fixed. They are rather low risk, but I have to set the priority to grave in any case (since they qualify)
The fix is rather straightforward (use mktemp or tempfile instead of the $$ construct and add a trap to remove the temporary files) and it is needed, specially for check_forensic. In the check_forensic script, for example, an attacker could just monitor /tmp/ usage and construct symlinks to the fc-XX.$$ as soon as "sees" that the fc-all.$$ file is being used. I've verified that none of these issues affect woody's Apache (1.3.26-0woody6). The fnm.sh script was there but it is not installed with any package and the check_forensic script was introduced later on. The attached (untested) patch should fix these issues, hope it helps. Please fix fnm.sh even if not being installed in any Debian packages, just to ease the work of automatic source-code review tools. Regards Javier
diff -Nru build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh build-tree-apache/apache_1.3.33/src/helpers/fmn.sh --- build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh 2004-02-16 23:23:09.000000000 +0100 +++ build-tree-apache/apache_1.3.33/src/helpers/fmn.sh 2005-01-18 00:51:03.000000000 +0100 @@ -24,8 +24,8 @@ modfile=$1 # the part from the Configure script -tmpfile=${TMPDIR-/tmp}/fmn.tmp.$$ -rm -f $tmpfile +tmpfile=`mktemp -t fmn.XXXXXX || tempfile --prefix=fmn` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +trap "rm -f -- \"$tmpfile\";" 0 1 2 3 13 15 modname='' ext=`echo $modfile | sed 's/^.*\.//'` modbase=`echo $modfile | sed 's/\.[^.]*$//'` @@ -52,8 +52,8 @@ modname=`echo $modbase | sed 's/^.*\///' | \ sed 's/^mod_//' | sed 's/^lib//' | sed 's/$/_module/'` fi -rm -f $tmpfile # output: the name of the module structure symbol echo "$modname" +exit 0 diff -Nru build-tree-apache.orig/apache_1.3.33/src/support/check_forensic build-tree-apache/apache_1.3.33/src/support/check_forensic --- build-tree-apache.orig/apache_1.3.33/src/support/check_forensic 2005-01-18 00:49:23.000000000 +0100 +++ build-tree-apache/apache_1.3.33/src/support/check_forensic 2005-01-18 00:53:32.000000000 +0100 @@ -7,9 +7,14 @@ F=$1 -cut -f 1 -d '|' $F > /tmp/fc-all.$$ -grep + < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-in.$$ -grep -- - < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-out.$$ +all=`mktemp -t fcall.XXXXXX || tempfile --prefix=fcall` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +in=`mktemp -t fcin.XXXXXX || tempfile --prefix=fcin` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +out=`mktemp -t fcout.XXXXXX || tempfile --prefix=fcout` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +trap "rm -f -- \"$all\" \"$in\" \"$out\";" 0 1 2 3 13 15 + +cut -f 1 -d '|' $F > $all +grep + < $all | cut -c2- | sort > $in +grep -- - < $all | cut -c2- | sort > $out # use -i instead of -I for GNU xargs -join -v 1 /tmp/fc-in.$$ /tmp/fc-out.$$ | xargs -ixx egrep "^\\+xx" $F -rm /tmp/fc-all.$$ /tmp/fc-in.$$ /tmp/fc-out.$$ +join -v 1 $in $out | xargs -ixx egrep "^\\+xx" $F +exit 0