COMMAND

    ksh

SYSTEMS AFFECTED

    ksh

PROBLEM

    Paul Szabo found following.  Recently he reported that,  similarly
    to the  recently discussed  tcsh vulnerability,  the Bourne  shell
    /bin/sh creates temporary files in an insecure way:

        http://oliver.efri.hr/~crv/security/bugs/mUNIXes/sh.html

    At the  time he  also tested  the Korn  shell ksh,  and it  seemed
    safe...   but no,  ksh is  in fact  also vulnerable.  (Is this all
    shells?  We have seen tcsh, bash, sh and now ksh fail...)

    Demonstration  (ksh  is  vulnerable  if  the  size  of  silly.1 is
    changed):

        #!/bin/ksh -x
        touch /tmp/silly.1
        ln -s /tmp/silly.1 /tmp/sh$$.1
        ls -l /tmp/silly.* /tmp/sh$$.*
        cat <<EOF
        Just some short text
        EOF
        ls -l /tmp/silly.* /tmp/sh$$.*
        rm /tmp/silly.* /tmp/sh$$.*

    Vulnerable:

        Version M-11/16/88f-beta4 (IRIX 6.2, patchSG0002882)
        Version 11/16/88f (IRIX 6.5.5)
        Version M-11/16/88f (IRIX 6.5.7)
        Version 11/16/88 (HP-UX B.09.00)
        Version M-11/16/88f (Tru64 5.0)
        Version M-11/16/88i (Solaris 7)
        Version 11/16/88i (Solaris 2.5, 2.6)

    Not vulnerable:

        Version 1993-12-28 j (ast-ksh.2000-06-01 (ATT), Linux)
        Version M-11/16/88i (Solaris 8)
        Version 11/16/88 (HP-UX B.11.00)

SOLUTION

    Regarding the Korn shell redirection race condition  vulnerability
    IBM have examined their version of the Korn Shell used in AIX  for
    this potential problem.   They have determined that  their version
    of the Korn shell is not vulnerable to this particular exploit.

    This "bug" does  not exist in  PD KSH v5.2.14  99/07/13.2, nor has
    it for a  significant amount of  time, if ever.   From examination
    of the code of 5.2.12 (i.e. at least as early as 1997) it probably
    doesn't exist there either.

    Similarly  /bin/sh  on  NetBSD  is  not vulnerable, nor should any
    /bin/sh shell based  on any 4BSD  freeware release (i.e.  4.3-net2
    or later)  because of  course this  means it  is based  on Kenneth
    Almquist's "ash".  Ash uses fork() to feed "here docs" to  itself,
    and the only use of temporary files, at least in the in the NetBSD
    version,  is  with  the  more  recently added command-line history
    editor, which was added recently enough to use mkstemp()  [~1994],
    and in DEBUG-only tracing code.

    Any  really  ancient  true  Bourne  shell  (eg. those based on the
    original Seventh Edition Unix) won't be vulnerable either  because
    they use the  creat(2) system call  to try creating  any temporary
    file.  That probably includes  any more recent AT&T UNIX  System V
    (derived) /bin/sh too....