FYI, I have checked the code and filed 2 more bugs (the rest being false positives, I think).
#496518 : Insecure use of /tmp in sympa_wizard may lead to system damage #496520 : Insecure use of /tmp in sympa scripts The first one is the most serious. The second one is minor. Thanks for spotting this. Best regards, Le lundi 25 août 2008 à 11:59 +0200, Olivier Berger a écrit : > Le jeudi 21 août 2008 à 16:14 +0200, Thijs Kinkhorst a écrit : > > > When grepping the sympa source for "/tmp" I find quite some occurances > > of > > other files directly in tmp with insecure filenames. It should be > > checked > > for each if that code is executed and whether or not they should be > > moved > > to Sympa's private tempdir. > > > > Indeed, grepping through contents of binary package gives quite some > occurrences : > > ./usr/share/doc/sympa/examples/config/sympa.conf:tmpdir /var/spool/sympa/tmp > ./usr/lib/sympa/bin/Log.pm: #open TMP, ">/tmp/logs.dump"; > ./usr/lib/sympa/bin/tt2.pl: open my $fh, ">/tmp/tt2/$newname"; > ./usr/lib/sympa/bin/tools.pl: ## first step is the msg signing OK ; > /tmp/sympa-smime.$$ is created > ./usr/lib/sympa/bin/tools.pl: my $temporary_file = "/tmp/smime-sender.".$$ > ; > ./usr/lib/sympa/bin/List.pm:# $parser->output_dir($Conf{'spool'} ."/tmp"); > > ./usr/lib/sympa/bin/List.pm:# open TMP2, ">/tmp/digdump"; > &tools::dump_var($param, 0, \*TMP2); close TMP2; > ./usr/lib/sympa/bin/List.pm:# open TMP2, ">/tmp/digdump"; > &tools::dump_var($param, 0, \*TMP2); close TMP2; > ./usr/lib/sympa/bin/sympasoap.pm:# open TMP2, ">>/tmp/yy"; printf TMP2 > "xxxxxxxxxx parameters \n"; &tools::dump_var($proxy_vs, 0, \*TMP2);printf > TMP2 "--------\n"; close TMP2; > ./usr/lib/sympa/bin/CAS.pm: $cas->proxyMode(pgtFile => '/tmp/pgt.txt', > ./usr/lib/sympa/bin/sympa_wizard.pl:my $new_wwsympa_conf = > '/tmp/wwsympa.conf'; > ./usr/lib/sympa/bin/sympa_wizard.pl:my $new_sympa_conf = '/tmp/sympa.conf'; > ./usr/lib/sympa/bin/Conf.pm: $o{'tmpdir'}[0] = "$spool/tmp"; > ./usr/lib/sympa/bin/Conf.pm: # open TMP, > ">/tmp/dump1";&tools::dump_var(&load_generic_conf_file($config,\%trusted_applications);, > 0,\*TMP);close TMP; > ./usr/lib/sympa/bin/Conf.pm:#open TMP2, ">>/tmp/sss"; printf TMP2 > "xxxxxxxxxxxxxxxxxxx--------structure admin\n"; &tools::dump_var(\%admin, 0, > \*TMP2);printf TMP2 "xxxxxxxxxxxxxxxxxxx--------\n"; close TMP2; > ./usr/lib/sympa/bin/sympa_soap_client.pl:# > file => '/tmp/my_cookies' ); > ./usr/lib/sympa/bin/sympa_soap_client.pl: > file => '/tmp/my_cookies' ); > ./usr/lib/sympa/bin/Family.pm: # open TMP, ">/tmp/dump1"; > ./usr/lib/sympa/bin/Auth.pm: # open TMP2, ">>/tmp/yy"; printf TMP2 > "xxxxxxxxxxx\@ trusted_apps \n"; &tools::dump_var([EMAIL PROTECTED], 0, > \*TMP2);printf TMP2 "--------\n"; close TMP2; > ./usr/lib/sympa/bin/sympa.pl: --make_alias_file : > create file in /tmp with all aliases (usefull when aliases.tpl is changed) > ./usr/lib/cgi-bin/sympa/wwsympa.fcgi: # open TMP, ">/tmp/dump1"; > ./usr/lib/cgi-bin/sympa/wwsympa.fcgi: # open TMP, ">/tmp/dump2"; > ./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #open TMP, ">/tmp/dump1"; > ./usr/bin/sympa: --make_alias_file : create file in > /tmp with all aliases (usefull when aliases.tpl is changed) > ./usr/bin/sympa_wizard:my $new_wwsympa_conf = '/tmp/wwsympa.conf'; > ./usr/bin/sympa_wizard:my $new_sympa_conf = '/tmp/sympa.conf'; > > I think that even though the first ones reported on > /usr/lib/cgi-bin/sympa/wwsympa.fcgi and /usr/lib/sympa/bin/sympa.pl are now > fixed by uploaded 5.3.4-5.1, there's some more need for analysis (checking > with upstream too). > > I think that opening a distinct bug would probably be better too. > > Hope this helps. > -- Olivier BERGER <[EMAIL PROTECTED]> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]