difflog.pl and "security"

difflog.pl and "security"

[Clint Adams]

There seems to be some excitement[1] about the tempfile handling in
difflog.pl.

[1] https://bugs.gentoo.org/show_bug.cgi?id=201022

Re: difflog.pl and "security"

[Bart Schaefer]

On Dec 2,  4:40pm, Clint Adams wrote:
}
} There seems to be some excitement[1] about the tempfile handling in
} difflog.pl.

I'll bet the number of times difflog.pl has been run in the last four
years, by anyone, could be counted on one hand.  Why would Gentoo even
include it in the packages?  It's strictly a tool for those maintaining
two zsh code branches in parallel.

Re: difflog.pl and "security"

[Peter Stephenson]

On Sun, 02 Dec 2007 17:45:19 -0800
Bart Schaefer <schaefer@brasslantern.com> wrote:
> On Dec 2,  4:40pm, Clint Adams wrote:
> }
> } There seems to be some excitement[1] about the tempfile handling in
> } difflog.pl.
> 
> I'll bet the number of times difflog.pl has been run in the last four
> years, by anyone, could be counted on one hand.  Why would Gentoo even
> include it in the packages?  It's strictly a tool for those maintaining
> two zsh code branches in parallel.

Yes, I'm more worried about the implication that anything distributed will
be assumed to be robust for any usage.  In the usage for which difflog.pl
is supplied, security is not an issue since you're diffing two publicly
available logs.  People need to be discouraged from thinking the same
script will work as a heavy-duty tool for logs that might need more
security.

Maybe we should simply leave it out of the distribution (but leave it in
the archive), since it's essentially no use unless you have a CVS tree.  It
might be worth adding a new list in .distfiles to indicate this...

It looks like the "distfiles" stuff isn't yet documented, as far as I can
see.

Index: Etc/zsh-development-guide
===================================================================
RCS file: /cvsroot/zsh/zsh/Etc/zsh-development-guide,v
retrieving revision 1.14
diff -u -r1.14 zsh-development-guide
--- Etc/zsh-development-guide	6 Jul 2007 21:52:39 -0000	1.14
+++ Etc/zsh-development-guide	3 Dec 2007 10:39:38 -0000
@@ -826,3 +826,33 @@
 zsh                   The Zsh Development Group (contact: <coordinator@zsh.org>)
 
 Below the top level, naming authority is delegated.
+
+
+Distribution of files
+---------------------
+
+zsh is distributed in two parts: a "src" distribution containing all
+the source files (roughly, but not exactly, corresponding to the CVS
+tree), and a "doc" distribution containing some pre-built files from
+the documentation directory.  All the files in the "doc" distribution
+may be generated from files in the "src" distribution with appropriate
+freely available tools.
+
+To indicate which files should be distributed, each directory in the CVS
+tree includes a file .distfiles that sets any number of a set of Bourne
+shell (scalar) parameters.  The value of the parameter is expanded as a
+set of standard command line arguments.  Basic globbing is allowed in the
+values.
+
+The following parameters are currently used:
+
+- DISTFILES_SRC is a list of files from the directory for the "src"
+  distribution.
+
+- DISTFILES_DOC is a list of files from the directory for the "doc"
+  distribution.
+
+- DISTFILES_NOT is a list of files that will not be included in a
+  distribution, but that need to be present in the CVS tree.  This
+  variable is not used by the zsh build process and is present for
+  the convenience of external checks.
Index: Util/.distfiles
===================================================================
RCS file: /cvsroot/zsh/zsh/Util/.distfiles,v
retrieving revision 1.3
diff -u -r1.3 .distfiles
--- Util/.distfiles	19 Mar 2004 10:53:04 -0000	1.3
+++ Util/.distfiles	3 Dec 2007 10:39:39 -0000
@@ -1,5 +1,11 @@
 DISTFILES_SRC='
     .distfiles
-    check_exports difflog.pl helpfiles mkdisttree.sh reporter
+    check_exports
+    helpfiles
+    mkdisttree.sh
     preconfig
+    reporter
+'
+DISTFILES_NOT='
+    difflog.pl
 '


-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070

Re: difflog.pl and "security"

[Bart Schaefer]

On Dec 3, 10:42am, Peter Stephenson wrote:
}
} Yes, I'm more worried about the implication that anything distributed
} will be assumed to be robust for any usage. In the usage for which
} difflog.pl is supplied, security is not an issue since you're diffing
} two publicly available logs.

If I understand the issue correctly, the problem is not what's in the
log files, but what's in /tmp.

E.g., if a local attacker can guess when difflog.pl is being run and
what its process ID is, he can create symlinks in /tmp that point
from the files difflog is about to create, to any files owned by the
person running difflog, and cause the target files to be clobbered.

My usual feeling about this is that if your local users are doing this
sort of thing, you already have problems that fixing a few scripts is
not going to solve; but there are people who have no choice but to
hand out logins first and ask questions later.

Re: difflog.pl and "security"

[Peter Stephenson]

On Mon, 03 Dec 2007 08:33:01 -0800
Bart Schaefer <schaefer@brasslantern.com> wrote:
> On Dec 3, 10:42am, Peter Stephenson wrote:
> }
> } Yes, I'm more worried about the implication that anything distributed
> } will be assumed to be robust for any usage. In the usage for which
> } difflog.pl is supplied, security is not an issue since you're diffing
> } two publicly available logs.
> 
> If I understand the issue correctly, the problem is not what's in the
> log files, but what's in /tmp.
> 
> E.g., if a local attacker can guess when difflog.pl is being run and
> what its process ID is, he can create symlinks in /tmp that point
> from the files difflog is about to create, to any files owned by the
> person running difflog, and cause the target files to be clobbered.

Yes, you're right.  However, the other remark stands...  should I commit
the change I suggested?  (There's obviously no harm in the documentation
update.)

-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070

Re: difflog.pl and "security"

[Bart Schaefer]

On Dec 3,  5:36pm, Peter Stephenson wrote:
}
} Yes, you're right. However, the other remark stands... should I
} commit the change I suggested? (There's obviously no harm in the
} documentation update.)

Oh, I didn't realize there was any question.  Sure, commit it.  Or "+1"
as they say nowadays.

Re: difflog.pl and "security"

[Wayne Davison]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]

On Mon, Dec 03, 2007 at 10:42:56AM +0000, Peter Stephenson wrote:
> Maybe we should simply leave it out of the distribution (but leave it in
> the archive), since it's essentially no use unless you have a CVS tree.

Seems quite reasonable to me.  I also coded up an improved version that
uses File::Temp.  I also changed the opening of the DIFF pipe to use a
newer, safer exec syntax (since we don't need this to be very portable,
I figure the perl version should be recent enough for anyone who might
be using the script).

..wayne..

[-- Attachment #2: difflog.patch --]
[-- Type: text/x-diff, Size: 1399 bytes --]

--- difflog.pl	18 Apr 2002 14:35:17 -0000	1.3
+++ difflog.pl	3 Dec 2007 21:32:03 -0000
@@ -2,10 +2,9 @@
 
 use strict;
 use IO::File;
+use File::Temp qw(tempfile);
 
 my @differ = qw(diff -bw);
-my $oldtmp = "/tmp/difflog$$.old";
-my $newtmp = "/tmp/difflog$$.new";
 
 my $newfn = pop(@ARGV);
 my $oldfn = pop(@ARGV);
@@ -36,16 +35,17 @@ while ($old < @oldentries && $new < @new
   else
   {
     if ($oldhash{$oldentries[$old]} ne $newhash{$newentries[$new]}) {
-      my $oldfh = new IO::File("/tmp/difflog$$.old", 'w');
-      $oldfh->print($oldhash{$oldentries[$old]});
-      $oldfh->close();
-      my $newfh = new IO::File("/tmp/difflog$$.new", 'w');
-      $newfh->print($newhash{$newentries[$new]});
-      $newfh->close();
-      open(DIFF, join(' ', @differ, @ARGV, $oldtmp, $newtmp, '|'));
+      my($oldfh, $oldtmp) = tempfile('difflog-XXXXXXXX', SUFFIX => '.old', DIR => '/tmp');
+      print $oldfh $oldhash{$oldentries[$old]};
+      close $oldfh;
+      my($newfh, $newtmp) = tempfile('difflog-XXXXXXXX', SUFFIX => '.new', DIR => '/tmp');
+      print $newfh $newhash{$newentries[$new]};
+      close $newfh;
+      open(DIFF, '-|', @differ, @ARGV, $oldtmp, $newtmp) or die $!;
       my @lines = <DIFF>;
       close(DIFF);
-      unlink </tmp/difflog$$.*>;
+      unlink($oldtmp);
+      unlink($newtmp);
       if (@lines)
       {
 	print "diff for ", $oldentries[$old], ":\n";