Thanks to Peter Watkins for the suggested fix. Also, TolisGroup have responded with confirmation of an update for the first reported race condition (http://online.securityfocus.com/bid/3970), and an ETA on a new update for this one just discovered. Cheers, prophecy@prophecy.net.nz On Fri, 13 Sep 2002, support@tolisgroup.com wrote: > The /tmp file exploit in the previous setlicense was fixed the day after > it was mentioned and posted. All new version of the setlicense program (since > BRU 17.0.0.0.5) no longer require any /tmp file access. > > As for this one, we are working on a new release of XBRU that will > resolve it. ETA Late September. > > Tim Jones > On Fri, 13 Sep 2002, Peter Watkins wrote: > Isn't xbru still a Tcl script? It should not be too hard to locate > references to /tmp/ and fix the problem. I've got an older copy of > BRU on my system & it has a similar problem, but not exactly the same. > Anyhow, a general fix would be 1) putting the following code at the > beginning of the Tcl script that xbru uses (on my system, that's xbru.tcl) > and 2) replacing each instance of the string "/tmp" (without quotations) > with the string "[brufixGetTmpdir]" (without quotations). As a variant of > step 1), you could save this as /usr/local/lib/brufix-tmpdir.tcl or > something and modify xbru to add > source /usr/local/lib/brufix-tmpdir.tcl > near the beginning of the script, to make the changes cleaner. > > -Peter > > > # brufix-tmpdir.tcl > # Tcl code to make a safe temporary directory for BRU Tcl/Tk scripts > # Peter Watkins, 2002 - sample code, no guarantees > # > proc brufixSetTmpdir {} { > # make the safe temp dir & store its name in a global var > # or exit if errors; respect $TMPDIR if set > global env > global brufixTmpdir > set brufixBaseTmpdir {/tmp} > catch {set brufixBaseTmpdir $env(TMPDIR)} > if {([file isdirectory $brufixBaseTmpdir] == 0) || ([file exists $brufixBaseTmpdir] == 0)} { > puts stderr "temporary directory $brufixBaseTmpdir does not exist!" > exit 1 > } > set brufixTmpdir "$brufixBaseTmpdir/bru-[clock clicks]" > if {[catch {file mkdir $brufixTmpdir}] != 0} { > puts stderr "error creating temporary directory $brufixTmpdir !" > exit 1 > } > if {[catch {exec /bin/chmod 0700 $brufixTmpdir}] != 0} { > puts stderr "error setting perms on temporary directory $brufixTmpdir !" > exit 1 > } > } > proc brufixGetTmpdir {} { > # return the safe temp directory name > global brufixTmpdir > if {([info exists brufixTmpdir] == 0) || ([string length $brufixTmpdir] == 0)} { > puts stderr "need to call brufixSetTmpdir before brufixGetTmpdir!" > exit 2 > } > if {([file isdirectory $brufixTmpdir] == 0) || ([file exists $brufixTmpdir] == 0)} { > puts stderr "BRU temporary directory $brufixTmpdir does not exist!" > exit 3 > } > return $brufixTmpdir > } > # early in the execution: make sure we have a good directory > # this should only be called once! > brufixSetTmpdir > > On Fri, Sep 13, 2002 at 12:08:16PM +1200, prophecy@prophecy.net.nz wrote: > > > Problem: > > > Fix: > > - No response from vendor: (support@tolisgroup.com) > > > Strace Snippet: > > > > [pid 32159] execve("/bin/dd", ["dd", "if=/dev/nst0", > > "of=/tmp/xbru_dscheck.dd", "bs=32k", "count=1"], [/* 38 vars */]) = 0 > > [pid 32159] open("/tmp/xbru_dscheck.dd", > > O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 1 > >
