FYI, I have checked the code and filed 2 more bugs (the rest being false
positives, I think).
#496518 : Insecure use of /tmp in sympa_wizard may lead to system damage
#496520 : Insecure use of /tmp in sympa scripts
The first one is the most serious. The second one is minor.
Thanks for spotting this.
Best regards,
Le lundi 25 août 2008 à 11:59 +0200, Olivier Berger a écrit :
> Le jeudi 21 août 2008 à 16:14 +0200, Thijs Kinkhorst a écrit :
>
> > When grepping the sympa source for "/tmp" I find quite some occurances
> > of
> > other files directly in tmp with insecure filenames. It should be
> > checked
> > for each if that code is executed and whether or not they should be
> > moved
> > to Sympa's private tempdir.
> >
>
> Indeed, grepping through contents of binary package gives quite some
> occurrences :
>
> ./usr/share/doc/sympa/examples/config/sympa.conf:tmpdir /var/spool/sympa/tmp
> ./usr/lib/sympa/bin/Log.pm: #open TMP, ">/tmp/logs.dump";
> ./usr/lib/sympa/bin/tt2.pl: open my $fh, ">/tmp/tt2/$newname";
> ./usr/lib/sympa/bin/tools.pl: ## first step is the msg signing OK ;
> /tmp/sympa-smime.$$ is created
> ./usr/lib/sympa/bin/tools.pl: my $temporary_file = "/tmp/smime-sender.".$$
> ;
> ./usr/lib/sympa/bin/List.pm:# $parser->output_dir($Conf{'spool'} ."/tmp");
>
> ./usr/lib/sympa/bin/List.pm:# open TMP2, ">/tmp/digdump";
> &tools::dump_var($param, 0, \*TMP2); close TMP2;
> ./usr/lib/sympa/bin/List.pm:# open TMP2, ">/tmp/digdump";
> &tools::dump_var($param, 0, \*TMP2); close TMP2;
> ./usr/lib/sympa/bin/sympasoap.pm:# open TMP2, ">>/tmp/yy"; printf TMP2
> "xxxxxxxxxx parameters \n"; &tools::dump_var($proxy_vs, 0, \*TMP2);printf
> TMP2 "--------\n"; close TMP2;
> ./usr/lib/sympa/bin/CAS.pm: $cas->proxyMode(pgtFile => '/tmp/pgt.txt',
> ./usr/lib/sympa/bin/sympa_wizard.pl:my $new_wwsympa_conf =
> '/tmp/wwsympa.conf';
> ./usr/lib/sympa/bin/sympa_wizard.pl:my $new_sympa_conf = '/tmp/sympa.conf';
> ./usr/lib/sympa/bin/Conf.pm: $o{'tmpdir'}[0] = "$spool/tmp";
> ./usr/lib/sympa/bin/Conf.pm: # open TMP,
> ">/tmp/dump1";&tools::dump_var(&load_generic_conf_file($config,\%trusted_applications);,
> 0,\*TMP);close TMP;
> ./usr/lib/sympa/bin/Conf.pm:#open TMP2, ">>/tmp/sss"; printf TMP2
> "xxxxxxxxxxxxxxxxxxx--------structure admin\n"; &tools::dump_var(\%admin, 0,
> \*TMP2);printf TMP2 "xxxxxxxxxxxxxxxxxxx--------\n"; close TMP2;
> ./usr/lib/sympa/bin/sympa_soap_client.pl:#
> file => '/tmp/my_cookies' );
> ./usr/lib/sympa/bin/sympa_soap_client.pl:
> file => '/tmp/my_cookies' );
> ./usr/lib/sympa/bin/Family.pm: # open TMP, ">/tmp/dump1";
> ./usr/lib/sympa/bin/Auth.pm: # open TMP2, ">>/tmp/yy"; printf TMP2
> "xxxxxxxxxxx\@ trusted_apps \n"; &tools::dump_var([EMAIL PROTECTED], 0,
> \*TMP2);printf TMP2 "--------\n"; close TMP2;
> ./usr/lib/sympa/bin/sympa.pl: --make_alias_file :
> create file in /tmp with all aliases (usefull when aliases.tpl is changed)
> ./usr/lib/cgi-bin/sympa/wwsympa.fcgi: # open TMP, ">/tmp/dump1";
> ./usr/lib/cgi-bin/sympa/wwsympa.fcgi: # open TMP, ">/tmp/dump2";
> ./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #open TMP, ">/tmp/dump1";
> ./usr/bin/sympa: --make_alias_file : create file in
> /tmp with all aliases (usefull when aliases.tpl is changed)
> ./usr/bin/sympa_wizard:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
> ./usr/bin/sympa_wizard:my $new_sympa_conf = '/tmp/sympa.conf';
>
> I think that even though the first ones reported on
> /usr/lib/cgi-bin/sympa/wwsympa.fcgi and /usr/lib/sympa/bin/sympa.pl are now
> fixed by uploaded 5.3.4-5.1, there's some more need for analysis (checking
> with upstream too).
>
> I think that opening a distinct bug would probably be better too.
>
> Hope this helps.
>
--
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
