2ad97ee4b1
Solar Designer did an audit of temp file handling in groff-1.20. He found and fixed *lots* of ugliness, but most does not look exploitable and some was already improved in groff-1.21. This is my own fix for the only one that, with a huge amount of extra paranoia, might be worth patching. To mount an exploit, the attacker would need to trick root into setting an unusable TMPDIR (or similar) variable in the environment such that mktemp -d fails, then convince root to run pdfroff (*you* don't run that as root, do you?), then handle a race condition to find the PID and predict the temp file name to mount a symlink attack. "I think we should still go for the fix" jasper@
24 lines
976 B
Plaintext
24 lines
976 B
Plaintext
$OpenBSD: patch-contrib_pdfmark_pdfroff_sh,v 1.1 2011/06/23 12:14:51 schwarze Exp $
|
|
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
|
|
# references a large patch by Solar Designer.
|
|
# Some of those things are fixed in 1.21, most do not look exploitable.
|
|
# This is the only one that seems worth patching away:
|
|
--- contrib/pdfmark/pdfroff.sh.orig Fri Dec 31 08:33:09 2010
|
|
+++ contrib/pdfmark/pdfroff.sh Wed Jun 22 01:37:47 2011
|
|
@@ -153,11 +153,10 @@
|
|
else
|
|
#
|
|
# Creation of a private temporary directory was unsuccessful;
|
|
- # fall back to user nominated directory, (using current directory
|
|
- # as default), and schedule removal of only the temporary files.
|
|
- #
|
|
- GROFF_TMPDIR=${TMPDIR}
|
|
- trap "rm -f ${GROFF_TMPDIR}/pdf$$.*" 0
|
|
+ # DO NOT fall back to user nominated directory,
|
|
+ # because that would allow symlink attacks.
|
|
+ echo >&2 "$CMD: mktemp(1) -d failure"
|
|
+ exit 1
|
|
fi
|
|
#
|
|
# In the case of abnormal termination events, we force an exit
|