Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Solaris patchadd(1) (3) symlink vulnerabilty

From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Tue, 19 Dec 2000 17:55:48 -0800
Paul Szabo <psz () MATHS USYD EDU AU> writes:

Jonathan Fortin <jfortin () REVELEX COM> wrote:


When patchadd is executed, It creates a temporary file called
"/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
"/tmp/sh<pidofpatchadd>.3  and assigns them mode 666 ...


I guess that patchadd is a "sh" script using the "<<" construct, this
being an instance of the bug I reported recently:

  http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716 () milan maths usyd edu au

This is essentially the same as the tcsh bug fixed recently in other OSs.


Speaking of which, I wonder if Sun has any plans to upgrade the tcsh 6.09.00
they provide with Solaris 8 to fix the << vulnerability.  Based on a grep of
the Dec 17 Solaris8.PatchReport, they still haven't gotten with the program
and fixed tcsh like the other vendors did some time ago.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.
Previous By Date Next
Previous By Thread Next

Current thread: