From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Thu,  4 Dec 2014 00:49:18 +0100
From: =?utf-8?B?U3TDqXBoYW5l?= Aulery <saulery@free.fr>
To: rsc@swtch.com, anselm@garbe.us, 9trouble@plan9.bell-labs.com,
	9fans@9fans.net
Subject: Debian bug 737206 - rc shell uses insecurely /tmp
Message-ID: <20141203234918.GA27533@free.fr>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="FCuugMFkClbJLl1L"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.5.23 (2014-03-12)
Topicbox-Message-UUID: 32da814e-ead9-11e9-9d60-3106f5b1d025


--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Hello,

I make you pass an open bug report on the Debian bts about rc.
I do not know to whom I should speak. The code comes from 9base, who
just plan9port, etc. Here is the report [1]:

   Package: 9base
   Version: 1:6-6
   Severity: important
   Tags: security

   Murray McAllister from Red Hat Security Response Team discovered that rc
   creates temporary files in an insecure way:

   $ strace -o '| grep /tmp' ./test-heredoc
   open("/tmp/here217f.0000", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 5
   open("/tmp/here217f.0000", O_RDONLY|O_LARGEFILE) = 5
   moo
   unlink("/tmp/here217f.0000")            = 0

   As you can see, the filenames are easily predictable, and the O_EXCL
   flag is missing.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737206

Regards,

--
Stéphane Aulery

--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename=test-heredoc

#!/usr/lib/plan9/bin/rc
cat << EOF
moo
EOF

--FCuugMFkClbJLl1L--