Re: Solaris patchadd(1) (3) symlink vulnerabilty

[Paul Szabo <psz () MATHS USYD EDU AU>]

Darren Moffat <Darren.Moffat () ENG SUN COM> wrote:

> Since patchadd is a script the bug it pretty easy to fix...
> So here is a set of diffs to patchadd for those that really can't wait.
> [ replaces /tmp by a safe ${WORKDIR} ]

Wow! That was quick.

However you seem to have missed the "cat << EOF" constructs, which I
believe were the subject of the original report:

> Jonathan Fortin <jfortin () REVELEX COM> wrote:
> > When patchadd is executed, It creates a temporary file called
> > "/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
> > "/tmp/sh<pidofpatchadd>.3  and assigns them mode 666 ...

That is a bug in the ksh you are using: do not use "here documents" until
you fix the ksh. Need to check/fix all rootly ksh and sh scripts.

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia