Insecure temp file creation fix - peer review please

From: Derek Fountain (dflists_at_iinet.net.au)
Date: 08/26/04 

To: secprog@securityfocus.com
Date: Thu, 26 Aug 2004 15:42:28 +0800

A few days back I noticed that the /usr/bin/asciiview script from the
aalib-1.4.0-275 package in SUSE-9.1 used insecure temp file creation. The
exploit is trivial and allows an attacker to cause a victim to overwrite any
of the victim's files. I've reported this to SUSE.

The project over at Sourceforge (http://aa-project.sourceforge.net) appears to
be dead, having had no update for 3 years. Emails to the two maintainers (at
least the email addresses found in the SUSE RPM information) came bouncing
back. So I thought I'd fix the bug myself... :) Since the script is small, I
can post it here - see below. Perhaps someone with a bit more experience at
this sort of thing can have a look at it to see if I've done it properly?

If my fix checks out I'll post it on the Sourceforge project page, although
whether anything good will actually become of it is anyone's guess...

#!/bin/bash
# asciiview - an ascii art image browser script. Front end for aview/aaflip

TDIR=${TMPDIR:-/tmp}/aview_$$
FIFO=$TDIR/aview$$.pgm

clear()
{
  kill $! 2>/dev/null
  rm -f $FIFO 2>/dev/null
  rmdir $TDIR 2>/dev/null
}
myconvert()
{
   if anytopnm $1 >$FIFO 2>/dev/null ; then
     exit
   elif convert -colorspace gray $1 pgm:- 2>/dev/null ; then
     exit
   fi
   echo "Failed to convert file format to PNM by both convert and anytopnm"
>&2
   while true; do
     echo "0 "
   done
}
filenames=""
options=""
if [ "$1" = "" ]; then
  echo "$0 - an ascii art image/animation browser.

  To run this script you need aview, aaflip and NetPBM or ImageMagick.
  You may browse any graphics format supported by NetPBM or ImageMagick
  and .fli/.flc files.

  Usage:
   $0 [options] [filenames]

  type aview --help [enter] for list of options.
  "
  exit 1
fi
while [ "$1" != "" ]; do
  case $1 in
    "-font" | "-driver" | "-kbddriver" | "-mousedriver" | "-*width" |
"-*height" | "-bright" | "-contrast" | "-gamma" |
"-random" | "-dimmul" | "-boldmul")
      options="$options $1 $2"
      shift
      shift
      ;;
    -*)
      options="$options $1"
      shift
      ;;
    *)
      filenames="$filenames $1"
      shift
      ;;
  esac
done

trap clear 0
(umask 077 && mkdir $TDIR) || {
    echo "Unable to create temp directory $TDIR"
    exit 1
}
mkfifo $FIFO || {
    echo "Unable to create FIFO $FIFO"
    exit 1
}
for name in $filenames ; do
if test -r $name ; then
case $name in
*.fli | *.lfc | *.flic )
  PATH="$PATH:."
  aaflip $options $name
  ;;
*)
  myconvert $name >$FIFO &
  pid=$!
  PATH="$PATH:."
  aview $options $FIFO
  kill $pid 2>/dev/null
esac
else
  echo "$name could not be opened"
fi
done

Relevant Pages

  • Re: [Full-disclosure] reduction of brute force login attempts via SSHthrough iptables --
    ... Anyhow its no problem at all to modify, so if you dont like it, just dont use it. ... on a lame script like this as long as it WORKS and is not insecure. ... echo "~ sorting out ip by ip" ... # echo "not enough failed logins, probably no attack from: ...
    (Full-Disclosure)
  • shell killer app
    ... Point of sale software for small businesses. ... I'm working on a Bash script ...
    (comp.unix.shell)
  • Ripping Tapes with Linux--How To
    ... the full script is located in the BASH ... My tape player is a portable style journalist's recorder from the ... The most irritating part of the recording process was setting the ... echo Starting de-noise procedure to file $TMP1 ...
    (comp.os.linux.misc)
  • Re: Linux Backup with Modification Date Filter?
    ... I wrote a bash script that acts as a wrapper to rsnapshot which first ... generates a modification-date filter, ...
    (comp.os.linux.misc)
  • Re: Help with dbstart script
    ... dbstart.sh.pp Copyr 1991 Oracle ... Use the correct dbstart script, ...
    (comp.databases.oracle.server)