COMMAND
tcsh
SYSTEMS AFFECTED
most unices
PROBLEM
'proton' found following. Here's the problem:
/tmp# echo 'hello world' > rootfile
/tmp# chmod 600 rootfile
/tmp# ln -s rootfile sh$$
/tmp# chown -h 666.666 sh$$
/tmp# ls -l rootfile sh$$
-rw------- 1 root root 12 Oct 29 03:55 rootfile
lrwxrwxrwx 1 666 666 8 Oct 29 03:56 sh12660 ->
rootfile
/tmp# cat <<BAR
? FOO
? BAR
FOO
o world
/tmp# ls -l rootfile sh$$
/bin/ls: sh12660: No such file or directory
-rw------- 1 root root 12 Oct 29 03:56 rootfile
/tmp# cat rootfile
FOO
o world
/tmp#
This has been tested on:
- 6.07.02 (Astron) 1996-10-27
- 6.08.00 (Astron) 1998-10-02
- 6.09.00 (Astron) 1999-08-16 (latest)
SOLUTION
Make sure root (and other sensitive user accounts) doesnt have any
predictable jobs (cron, ~/.cshrc, ...) that uses tcsh AND `<<'
redirects.
This was fixed in the tcsh CVS repo with the following patch:
Index: sh.dol.c
=====================================================================
RCS file: /mnt/ncvs/src/contrib/tcsh/sh.dol.c,v
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3.2.1 sh.dol.c
--- sh.dol.c 2000/06/10 22:25:57 1.1.1.3.2.1
+++ sh.dol.c 2000/11/04 22:23:29
@@ -1,4 +1,4 @@
-/* $Header: /src/pub/tcsh/sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $ */
+/* $Header: /src/pub/tcsh/sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $ */
/*
* sh.dol.c: Variable substitutions
*/
@@ -36,7 +36,7 @@
*/
#include "sh.h"
-RCSID("$Id: sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $")
+RCSID("$Id: sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $")
/*
* C shell
@@ -1017,7 +1017,7 @@
heredoc(term)
Char *term;
{
- register int c;
+ int c;
Char *Dv[2];
Char obuf[BUFSIZE], lbuf[BUFSIZE], mbuf[BUFSIZE];
int ocnt, lcnt, mcnt;
@@ -1025,7 +1025,9 @@
Char **vp;
bool quoted;
char *tmp;
+ struct timeval tv;
+again:
tmp = short2str(shtemp);
#ifndef O_CREAT
# define O_CREAT 0
@@ -1036,12 +1038,22 @@
#ifndef O_TEMPORARY
# define O_TEMPORARY 0
#endif
- if (open(tmp, O_RDWR|O_CREAT|O_TEMPORARY) < 0) {
- int oerrno = errno;
-
+#ifndef O_EXCL
+# define O_EXCL 0
+#endif
+ if (open(tmp, O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY) == -1) {
+ int oerrno = errno;
+ if (errno == EEXIST) {
+ if (unlink(tmp) == -1) {
+ (void) gettimeofday(&tv, NULL);
+ shtemp = Strspl(STRtmpsh, putn((((int)tv.tv_sec) ^
+ ((int)tv.tv_usec) ^ ((int)doldol)) & 0x00ffffff));
+ }
+ goto again;
+ }
(void) unlink(tmp);
errno = oerrno;
- stderror(ERR_SYSTEM, tmp, strerror(errno));
+ stderror(ERR_SYSTEM, tmp, strerror(errno));
}
(void) unlink(tmp); /* 0 0 inode! */
Dv[0] = term;
For Debian:
http://security.debian.org/dists/stable/updates/main/source/tcsh_6.09.00-10.diff.gz
http://security.debian.org/dists/stable/updates/main/source/tcsh_6.09.00-10.dsc
http://security.debian.org/dists/stable/updates/main/source/tcsh_6.09.00.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-all/tcsh-i18n_6.09.00-10_all.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/tcsh-kanji_6.09.00-10_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/tcsh_6.09.00-10_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/tcsh-kanji_6.09.00-10_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/tcsh_6.09.00-10_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/tcsh-kanji_6.09.00-10_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/tcsh_6.09.00-10_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/tcsh-kanji_6.09.00-10_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/tcsh_6.09.00-10_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/tcsh-kanji_6.09.00-10_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/tcsh_6.09.00-10_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/tcsh-kanji_6.09.00-10_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/tcsh_6.09.00-10_sparc.deb
For FreeBSD:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch.asc
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch.asc
[tcsh]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/tcsh-6.09.03_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/tcsh-6.09.03_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/tcsh-6.09.03_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/tcsh-6.09.03_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/tcsh-6.09.03_1.tgz
[44bsd-csh]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/44bsd-csh-20001106.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/44bsd-csh-20001106.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/44bsd-csh-20001106.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/44bsd-csh-20001106.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/44bsd-csh-20001106.tgz
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/tcsh-6.08.00-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/tcsh-6.08.00-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/tcsh-6.08.00-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/tcsh-6.08.00-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/tcsh-6.09.00-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/tcsh-6.09.00-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/tcsh-6.09.00-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/tcsh-6.09.00-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/tcsh-6.09.00-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/tcsh-6.09.00-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/tcsh-6.09.00-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/tcsh-6.09.00-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SPMS/tcsh-6.10.00-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tcsh-6.10.00-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/tcsh-6.09.00-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/tcsh-6.09.00-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/tcsh-6.09.00-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/tcsh-6.09.00-7cl.i386.rpm
For Caldera Systems:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/tcsh-6.10.00-2.i386.rpm
RPMS/tcsh-doc-html-6.10.00-2.i386.rpm
SRPMS/tcsh-6.10.00-2.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/tcsh-6.10.00-2.i386.rpm
RPMS/tcsh-doc-html-6.10.00-2.i386.rpm
SRPMS/tcsh-6.10.00-2.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/tcsh-6.10.00-2.i386.rpm
RPMS/tcsh-doc-html-6.10.00-2.i386.rpm
SRPMS/tcsh-6.10.00-2.src.rpm
For Immunix OS:
http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/tcsh-6.10-0.6.x_StackGuard.i386.rpm
http://www.immunix.org/ImmunixOS/6.2/updates/SRPMS/tcsh-6.10-0.6.x_StackGuard.src.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/tcsh-6.10-1_StackGuard.i386.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/tcsh-6.10-1_StackGuard.src.rpm =20
For Trustix:
tcsh-6.09-5tr.i586.rpm
tcsh-6.09-5tr.src.rpm
Get these updates at:
ftp://ftp.trustix.net/pub/Trustix/updates/
http://www.trustix.net/pub/Trustix/updates/