COMMAND

    trn

SYSTEMS AFFECTED

    Debian

PROBLEM

    Richard Kettlewell has reported a security problem with trn.   Trn
    comes  with  a  newsgroups  shell  script  that  uses  a hardcoded
    filename in  /tmp as  temporary storage.   As you  all know,  this
    could be  exploited to  overwrite arbitrary  files.   If the  file
    already  exists  as  symbolic  link  to  users  files they will be
    overwritten.  This was not intentional by the author, he tried  to
    use tempfile(1) to  create the temporary  filename.  However,  due
    to a thinko, the name was hardcoded into the script.

SOLUTION

    Debian GNU/Linux 2.1 alias slink
    --------------------------------

        ftp://ftp.debian.org/debian/dists/proposed-updates/trn_3.6-9.3.1.diff.gz
        ftp://ftp.debian.org/debian/dists/proposed-updates/trn_3.6-9.3.1.dsc

        ftp://ftp.debian.org/debian/dists/proposed-updates/trn_3.6-9.3.1_alpha.deb

        ftp://ftp.debian.org/debian/dists/proposed-updates/trn_3.6-9.3.1_i386.deb

        ftp://ftp.debian.org/debian/dists/proposed-updates/trn_3.6-9.3.1_m68k.deb

        ftp://ftp.debian.org/debian/dists/proposed-updates/trn_3.6-9.3.1_sparc.deb

    Debian GNU/Linux unstable alias potato
    --------------------------------------

        ftp://ftp.debian.org/debian/dists/unstable/main/source/news/trn_3.6-9.4.diff.gz
        ftp://ftp.debian.org/debian/dists/unstable/main/source/news/trn_3.6-9.4.dsc
        ftp://ftp.debian.org/debian/dists/unstable/main/source/news/trn_3.6.orig.tar.gz

        ftp://ftp.debian.org/debian/dists/unstable/main/binary-alpha/news/trn_3.6-9.4.deb

        http://security.debian.org/dists/unstable/updates/binary-arm/trn_3.6-9.4_arm.deb

        ftp://ftp.debian.org/debian/dists/unstable/main/binary-i386/news/trn_3.6-9.4.deb

        ftp://ftp.debian.org/debian/dists/unstable/main/binary-m68k/news/trn_3.6-9.4.deb

        ftp://ftp.debian.org/debian/dists/unstable/main/binary-powerpc/news/trn_3.6-9.4.deb

        ftp://ftp.debian.org/debian/dists/unstable/main/binary-sparc/news/trn_3.6-9.4.deb

    Patch against version 3.6.

    diff -u -Nur --exclude CVS orig/trn-3.6/newsgroups.SH trn-3.6/newsgroups.SH
    --- orig/trn-3.6/newsgroups.SH  Thu Aug 19 12:05:40 1999
    +++ trn-3.6/newsgroups.SH       Thu Aug 19 12:04:59 1999
    @@ -33,7 +33,7 @@
     #NORMAL~*) active=\`$filexp \$active\` ;;
     #NORMALesac
     #NNTP
    -#NNTPactive=`tempfile -p active`   #"/tmp/active.\$\$"
    +#NNTPactive=\`tempfile -p active\`   #"/tmp/active.\$\$"
     #NNTPrnlib=$privlib
     #NNTPcase \$rnlib in
     #NNTP~*) rnlib=\`$filexp \$rnlib\` ;;

    This patch got nothing to do with above one for Debian as it  uses
    tempfile?  This usually yields an easily predictable filename, for
    which the same exploits hold.   Just keep an eye out for  the last
    PID  issued,  and  OK,  this  time  you  might need to flip a link
    (provided that tempfile  indeed refuses to  return a file  that is
    currently symlinked.)