[iproute] Address dangerous /tmp files security issue (CVE-2012-1088, #797881, #797878)
Petr Šabata
psabata at fedoraproject.org
Thu Mar 1 09:44:24 UTC 2012
commit d4914dfff88179293c67034f1e52d9a659bb1198
Author: Petr Šabata <contyk at redhat.com>
Date: Thu Mar 1 10:40:39 2012 +0100
Address dangerous /tmp files security issue (CVE-2012-1088, #797881, #797878)
iproute.spec | 10 +-
...te2-3.2.0-Dont-put-configure-files-in-tmp.patch | 165 ++++++++++++++++++++
...te2-3.2.0-dhcp-client-script-dont-use-tmp.patch | 27 ++++
3 files changed, 200 insertions(+), 2 deletions(-)
---
diff --git a/iproute.spec b/iproute.spec
index d0c742d..fb013e2 100644
--- a/iproute.spec
+++ b/iproute.spec
@@ -2,7 +2,7 @@
Summary: Advanced IP routing and network device configuration tools
Name: iproute
Version: 3.2.0
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: Applications/System
URL: http://kernel.org/pub/linux/utils/networking/%{name}2/
Source0: http://kernel.org/pub/linux/utils/networking/%{name}2/%{name}2-%{version}.tar.bz2
@@ -19,7 +19,8 @@ Patch7: iproute2-2.6.35-print-route.patch
Patch8: iproute2-print-route-u32.patch
Patch9: iproute2-2.6.39-create-peer-veth-without-a-name.patch
Patch10: iproute2-2.6.39-lnstat-dump-to-stdout.patch
-
+Patch11: iproute2-3.2.0-Dont-put-configure-files-in-tmp.patch
+Patch12: iproute2-3.2.0-dhcp-client-script-dont-use-tmp.patch
License: GPLv2+ and Public Domain
BuildRequires: tex(latex) tex(dvips) linuxdoc-tools
BuildRequires: flex linux-atm-libs-devel psutils db4-devel bison
@@ -66,6 +67,8 @@ sed -i "s/_VERSION_/%{version}/" man/man8/ss.8
%patch8 -p1 -b .print-route-u32
%patch9 -p1 -b .peer-veth-without-name
%patch10 -p1 -b .lnstat-dump-to-stdout
+%patch11 -p1 -b .tmp
+%patch12 -p1 -b .tmp-dhcp
%build
export LIBDIR=/%{_libdir}
@@ -175,6 +178,9 @@ done
%{_includedir}/libnetlink.h
%changelog
+* Mon Feb 27 2012 Petr Šabata <contyk at redhat.com> - 3.2.0-3
+- Address dangerous /tmp files security issue (CVE-2012-1088, #797881, #797878)
+
* Fri Jan 27 2012 Petr Šabata <contyk at redhat.com> - 3.2.0-2
- Simplify the spec a bit thanks to the UsrMove feature
diff --git a/iproute2-3.2.0-Dont-put-configure-files-in-tmp.patch b/iproute2-3.2.0-Dont-put-configure-files-in-tmp.patch
new file mode 100644
index 0000000..6b81f33
--- /dev/null
+++ b/iproute2-3.2.0-Dont-put-configure-files-in-tmp.patch
@@ -0,0 +1,165 @@
+From e557d1ac3a156ba7521ba44b0b412af4542f83f8 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger at vyatta.com>
+Date: Wed, 15 Feb 2012 10:03:39 -0800
+Subject: [PATCH] Don't put configure files in /tmp
+
+Based on patch by Vasiliy Kulikov <segoon at openwall.com>
+Don't use /tmp since it is dangerous, instead put temporary files
+from configure script in build directory. This is what autoconf
+generated configure does.
+---
+ .gitignore | 1 +
+ configure | 34 +++++++++++++++++++---------------
+ 2 files changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/.gitignore b/.gitignore
+index c784159..3ba2632 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -1,4 +1,5 @@
+ static-syms.h
++config.*
+ Config
+ *.o
+ *.a
+diff --git a/configure b/configure
+index 09a6987..0f4444f 100755
+--- a/configure
++++ b/configure
+@@ -3,9 +3,13 @@
+ #
+ INCLUDE=${1:-"$PWD/include"}
+
++# Make a temp directory in build tree.
++TMPDIR=$(mktemp -d config.XXXXXX)
++trap 'status=$?; rm -rf $TMPDIRa; exit $status' EXIT HUP INT QUIT TERM
++
+ check_atm()
+ {
+-cat >/tmp/atmtest.c <<EOF
++cat >$TMPDIR/atmtest.c <<EOF
+ #include <atm.h>
+ int main(int argc, char **argv) {
+ struct atm_qos qos;
+@@ -13,7 +17,7 @@ int main(int argc, char **argv) {
+ return 0;
+ }
+ EOF
+-gcc -I$INCLUDE -o /tmp/atmtest /tmp/atmtest.c -latm >/dev/null 2>&1
++gcc -I$INCLUDE -o $TMPDIR/atmtest $TMPDIR/atmtest.c -latm >/dev/null 2>&1
+ if [ $? -eq 0 ]
+ then
+ echo "TC_CONFIG_ATM:=y" >>Config
+@@ -21,13 +25,13 @@ then
+ else
+ echo no
+ fi
+-rm -f /tmp/atmtest.c /tmp/atmtest
++rm -f $TMPDIR/atmtest.c $TMPDIR/atmtest
+ }
+
+ check_xt()
+ {
+ #check if we have xtables from iptables >= 1.4.5.
+-cat >/tmp/ipttest.c <<EOF
++cat >$TMPDIR/ipttest.c <<EOF
+ #include <xtables.h>
+ #include <linux/netfilter.h>
+ static struct xtables_globals test_globals = {
+@@ -47,12 +51,12 @@ int main(int argc, char **argv)
+
+ EOF
+
+-if gcc -I$INCLUDE $IPTC -o /tmp/ipttest /tmp/ipttest.c $IPTL $(pkg-config xtables --cflags --libs) -ldl >/dev/null 2>&1
++if gcc -I$INCLUDE $IPTC -o $TMPDIR/ipttest $TMPDIR/ipttest.c $IPTL $(pkg-config xtables --cflags --libs) -ldl >/dev/null 2>&1
+ then
+ echo "TC_CONFIG_XT:=y" >>Config
+ echo "using xtables"
+ fi
+-rm -f /tmp/ipttest.c /tmp/ipttest
++rm -f $TMPDIR/ipttest.c $TMPDIR/ipttest
+ }
+
+ check_xt_old()
+@@ -64,7 +68,7 @@ then
+ fi
+
+ #check if we dont need our internal header ..
+-cat >/tmp/ipttest.c <<EOF
++cat >$TMPDIR/ipttest.c <<EOF
+ #include <xtables.h>
+ char *lib_dir;
+ unsigned int global_option_offset = 0;
+@@ -84,14 +88,14 @@ int main(int argc, char **argv) {
+ }
+
+ EOF
+-gcc -I$INCLUDE $IPTC -o /tmp/ipttest /tmp/ipttest.c $IPTL -ldl >/dev/null 2>&1
++gcc -I$INCLUDE $IPTC -o $TMPDIR/ipttest $TMPDIR/ipttest.c $IPTL -ldl >/dev/null 2>&1
+
+ if [ $? -eq 0 ]
+ then
+ echo "TC_CONFIG_XT_OLD:=y" >>Config
+ echo "using old xtables (no need for xt-internal.h)"
+ fi
+-rm -f /tmp/ipttest.c /tmp/ipttest
++rm -f $TMPDIR/ipttest.c $TMPDIR/ipttest
+ }
+
+ check_xt_old_internal_h()
+@@ -103,7 +107,7 @@ then
+ fi
+
+ #check if we need our own internal.h
+-cat >/tmp/ipttest.c <<EOF
++cat >$TMPDIR/ipttest.c <<EOF
+ #include <xtables.h>
+ #include "xt-internal.h"
+ char *lib_dir;
+@@ -124,14 +128,14 @@ int main(int argc, char **argv) {
+ }
+
+ EOF
+-gcc -I$INCLUDE $IPTC -o /tmp/ipttest /tmp/ipttest.c $IPTL -ldl >/dev/null 2>&1
++gcc -I$INCLUDE $IPTC -o $TMPDIR/ipttest $TMPDIR/ipttest.c $IPTL -ldl >/dev/null 2>&1
+
+ if [ $? -eq 0 ]
+ then
+ echo "using old xtables with xt-internal.h"
+ echo "TC_CONFIG_XT_OLD_H:=y" >>Config
+ fi
+-rm -f /tmp/ipttest.c /tmp/ipttest
++rm -f $TMPDIR/ipttest.c $TMPDIR/ipttest
+ }
+
+ check_ipt()
+@@ -160,7 +164,7 @@ check_ipt_lib_dir()
+
+ check_setns()
+ {
+-cat >/tmp/setnstest.c <<EOF
++cat >$TMPDIR/setnstest.c <<EOF
+ #include <sched.h>
+ int main(int argc, char **argv)
+ {
+@@ -168,7 +172,7 @@ int main(int argc, char **argv)
+ return 0;
+ }
+ EOF
+-gcc -I$INCLUDE -o /tmp/setnstest /tmp/setnstest.c >/dev/null 2>&1
++gcc -I$INCLUDE -o $TMPDIR/setnstest $TMPDIR/setnstest.c >/dev/null 2>&1
+ if [ $? -eq 0 ]
+ then
+ echo "IP_CONFIG_SETNS:=y" >>Config
+@@ -176,7 +180,7 @@ then
+ else
+ echo "no"
+ fi
+-rm -f /tmp/setnstest.c /tmp/setnstest
++rm -f $TMPDIR/setnstest.c $TMPDIR/setnstest
+ }
+
+ echo "# Generated config based on" $INCLUDE >Config
+--
+1.7.6.5
+
diff --git a/iproute2-3.2.0-dhcp-client-script-dont-use-tmp.patch b/iproute2-3.2.0-dhcp-client-script-dont-use-tmp.patch
new file mode 100644
index 0000000..2145791
--- /dev/null
+++ b/iproute2-3.2.0-dhcp-client-script-dont-use-tmp.patch
@@ -0,0 +1,27 @@
+From 20ed7b24df05eadf83168d1d0ce0052a31380928 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger at vyatta.com>
+Date: Wed, 15 Feb 2012 10:05:45 -0800
+Subject: [PATCH] dhcp-client-script: don't use /tmp
+
+/tmp is a dangerous place and better to put log files in /var/log.
+Based on patch by Vasiliy Kulikov <segoon at openwall.com>
+---
+ examples/dhcp-client-script | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/examples/dhcp-client-script b/examples/dhcp-client-script
+index 7207b57..f39bc10 100644
+--- a/examples/dhcp-client-script
++++ b/examples/dhcp-client-script
+@@ -14,7 +14,7 @@
+ # we should install and preserve.
+ #
+
+-exec >> /tmp/DHS.log 2>&1
++exec >> /var/log/DHS.log 2>&1
+
+ echo dhc-script $* reason=$reason
+ set | grep "^\(old_\|new_\|check_\)"
+--
+1.7.6.5
+
More information about the scm-commits
mailing list