COMMAND

	Using redirector \'<<\' invoking shells may create suid  files  in
	/tmp

SYSTEMS AFFECTED

	All ?? except BSDI and OpenBSD

PROBLEM

	Editor\'s note : this is based on a CERT advisory initially released  in
	October 1991, for which we couldn\'t find an archive in our  repository.
	This issue reared it\'s head today due to a patch posted for Irix.
	

	Based on CERT advisory [http://www.kb.cert.org/vuls/id/10277] :
	

	When  performing  the  \"<<\"  redirection,  /bin/sh   creates   a
	temporary file in /tmp with a name  based  on  the  process  id,  writes
	subsequent input out to that file,  and  then  closes  the  file  before
	re-opening it as the standard input of the command to  be  executed.  At
	no stage are the results  of  the  creat(),  write(),  or  open()  calls
	checked for an error status.
	

	If the sticky bit is not set on /tmp, the file can  be  simply  removed,
	and a new file created in its place. If the sticky bit is set,  then  it
	is possible to guess what the file will be called and create  it  before
	/bin/sh does (the creat() call performed by the shell  does  not  result
	in an open() call with O_EXCL set) and hence it is possible to  maintain
	a handle on the underlying file.
	

	If a fifo is created in place of the temporary file it  is  particularly
	easy to insert an  extra  command  into  the  input  transparently,  and
	without having to worry about ensuring the bug is exploited  during  the
	narrow window of time in which it occurs.
	

	Even without reading, creating this file  may  block  the  execution  of
	commands using the << operator. It may also be possible to  create
	a symbolic link named as the temporary file and  pointed  to  any  other
	file on the system writable by the user of the shell, which may lead  to
	corruption of the file to which the link is pointed.

SOLUTION

	Since the initial release of this  advisory,  probably  all  Unixes  are
	patched. SGI IRIX posted a patch today :
	

	 

	   OS Version     Vulnerable?     Patch #      Other Actions

	   ----------     -----------     -------      -------------

	   IRIX 3.x        unknown                     Note 1

	   IRIX 4.x        unknown                     Note 1

	   IRIX 5.x        unknown                     Note 1

	   IRIX 6.0.x      unknown                     Note 1

	   IRIX 6.1        unknown                     Note 1

	   IRIX 6.2        unknown                     Note 1

	   IRIX 6.3        unknown                     Note 1

	   IRIX 6.4        unknown                     Note 1

	   IRIX 6.5          yes                       Notes 2 & 3

	   IRIX 6.5.1        yes                       Notes 2 & 3

	   IRIX 6.5.2        yes                       Notes 2 & 3

	   IRIX 6.5.3        yes                       Notes 2 & 3

	   IRIX 6.5.4        yes                       Notes 2 & 3

	   IRIX 6.5.5        yes                       Notes 2 & 3

	   IRIX 6.5.6        yes                       Notes 2 & 3

	   IRIX 6.5.7        yes                       Notes 2 & 3

	   IRIX 6.5.8        yes                       Notes 2 & 3

	   IRIX 6.5.9        yes                       Notes 2 & 3

	   IRIX 6.5.10m      yes     4469              Note 3

	   IRIX 6.5.10f      yes     4470              Note 3

	   IRIX 6.5.11m      yes     4469              Note 3

	   IRIX 6.5.11f      yes     4470              Note 3

	   IRIX 6.5.12m      yes     4469              Note 3

	   IRIX 6.5.12f      yes     4470              Note 3

	   IRIX 6.5.13m      yes     4469              Note 3

	   IRIX 6.5.13f      yes     4470              Note 3

	   IRIX 6.5.14m      no                        Note 3

	   IRIX 6.5.14f      no                        Note 3

	

	

	Compaq Tru64unix patch (30 January 2002)
	

	http://ftp.support.compaq.com/patches/.new/unix.shtml