Bugtraq mailing list archives
Re: Race condition in BRU Workstation 17.0
From: prophecy () prophecy net nz
Date: Sat, 14 Sep 2002 10:20:03 +1200 (NZST)
Thanks to Peter Watkins for the suggested fix. Also, TolisGroup have responded with confirmation of an update for the first reported race condition (http://online.securityfocus.com/bid/3970), and an ETA on a new update for this one just discovered. Cheers, prophecy () prophecy net nz On Fri, 13 Sep 2002, support () tolisgroup com wrote:
The /tmp file exploit in the previous setlicense was fixed the day after it was mentioned and posted. All new version of the setlicense program (since BRU 17.0.0.0.5) no longer require any /tmp file access. As for this one, we are working on a new release of XBRU that will resolve it. ETA Late September. Tim Jones
On Fri, 13 Sep 2002, Peter Watkins wrote:
Isn't xbru still a Tcl script? It should not be too hard to locate references to /tmp/ and fix the problem. I've got an older copy of BRU on my system & it has a similar problem, but not exactly the same. Anyhow, a general fix would be 1) putting the following code at the beginning of the Tcl script that xbru uses (on my system, that's xbru.tcl) and 2) replacing each instance of the string "/tmp" (without quotations) with the string "[brufixGetTmpdir]" (without quotations). As a variant of step 1), you could save this as /usr/local/lib/brufix-tmpdir.tcl or something and modify xbru to add source /usr/local/lib/brufix-tmpdir.tcl near the beginning of the script, to make the changes cleaner. -Peter # brufix-tmpdir.tcl # Tcl code to make a safe temporary directory for BRU Tcl/Tk scripts # Peter Watkins, 2002 - sample code, no guarantees # proc brufixSetTmpdir {} { # make the safe temp dir & store its name in a global var # or exit if errors; respect $TMPDIR if set global env global brufixTmpdir set brufixBaseTmpdir {/tmp} catch {set brufixBaseTmpdir $env(TMPDIR)} if {([file isdirectory $brufixBaseTmpdir] == 0) || ([file exists $brufixBaseTmpdir] == 0)} { puts stderr "temporary directory $brufixBaseTmpdir does not exist!" exit 1 } set brufixTmpdir "$brufixBaseTmpdir/bru-[clock clicks]" if {[catch {file mkdir $brufixTmpdir}] != 0} { puts stderr "error creating temporary directory $brufixTmpdir !" exit 1 } if {[catch {exec /bin/chmod 0700 $brufixTmpdir}] != 0} { puts stderr "error setting perms on temporary directory $brufixTmpdir !" exit 1 } } proc brufixGetTmpdir {} { # return the safe temp directory name global brufixTmpdir if {([info exists brufixTmpdir] == 0) || ([string length $brufixTmpdir] == 0)} { puts stderr "need to call brufixSetTmpdir before brufixGetTmpdir!" exit 2 } if {([file isdirectory $brufixTmpdir] == 0) || ([file exists $brufixTmpdir] == 0)} { puts stderr "BRU temporary directory $brufixTmpdir does not exist!" exit 3 } return $brufixTmpdir } # early in the execution: make sure we have a good directory # this should only be called once! brufixSetTmpdir On Fri, Sep 13, 2002 at 12:08:16PM +1200, prophecy () prophecy net nz wrote:Problem:Fix: - No response from vendor: (support () tolisgroup com)Strace Snippet: [pid 32159] execve("/bin/dd", ["dd", "if=/dev/nst0", "of=/tmp/xbru_dscheck.dd", "bs=32k", "count=1"], [/* 38 vars */]) = 0 [pid 32159] open("/tmp/xbru_dscheck.dd", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 1
Current thread:
- Re: Race condition in BRU Workstation 17.0 prophecy (Sep 16)