Re: Race condition in BRU Workstation 17.0

Thanks to Peter Watkins for the suggested fix.

Also, TolisGroup have responded with confirmation of an update for the first reported race 
condition (http://online.securityfocus.com/bid/3970), and an ETA on a new update for this one just discovered.

Cheers,
prophecy@prophecy.net.nz



On Fri, 13 Sep 2002, support@tolisgroup.com wrote:

> The /tmp file exploit in the previous setlicense was fixed the day after 
> it was mentioned and posted.  All new version of the setlicense program (since 
> BRU 17.0.0.0.5) no longer require any /tmp file access.
> 
> As for this one, we are working on a new release of XBRU that will 
> resolve it. ETA Late September.
> 
> Tim Jones
> 


On Fri, 13 Sep 2002, Peter Watkins wrote:

> Isn't xbru still a Tcl script? It should not be too hard to locate 
> references to /tmp/ and fix the problem. I've got an older copy of 
> BRU on my system & it has a similar problem, but not exactly the same.
> Anyhow, a general fix would be 1) putting the following code at the 
> beginning of the Tcl script that xbru uses (on my system, that's xbru.tcl)
> and 2) replacing each instance of the string "/tmp" (without quotations)
> with the string "[brufixGetTmpdir]" (without quotations). As a variant of 
> step 1), you could save this as /usr/local/lib/brufix-tmpdir.tcl or 
> something and modify xbru to add 
>   source /usr/local/lib/brufix-tmpdir.tcl
> near the beginning of the script, to make the changes cleaner.
> 
> -Peter
> 
> 
> # brufix-tmpdir.tcl
> # Tcl code to make a safe temporary directory for BRU Tcl/Tk scripts
> # Peter Watkins, 2002 - sample code, no guarantees
> #
> proc brufixSetTmpdir {} {
>   # make the safe temp dir & store its name in a global var
>   # or exit if errors; respect $TMPDIR if set
>   global env
>   global brufixTmpdir
>   set brufixBaseTmpdir {/tmp}
>   catch {set brufixBaseTmpdir $env(TMPDIR)}
>   if {([file isdirectory $brufixBaseTmpdir] == 0) || ([file exists $brufixBaseTmpdir] == 0)} {
>     puts stderr "temporary directory $brufixBaseTmpdir does not exist!"
>     exit 1
>   }
>   set brufixTmpdir "$brufixBaseTmpdir/bru-[clock clicks]"
>   if {[catch {file mkdir $brufixTmpdir}] != 0} {
>     puts stderr "error creating temporary directory $brufixTmpdir !"
>     exit 1
>   }
>   if {[catch {exec /bin/chmod 0700 $brufixTmpdir}] != 0} {
>     puts stderr "error setting perms on temporary directory $brufixTmpdir !"
>     exit 1
>   }
> }
> proc brufixGetTmpdir {} {
>   # return the safe temp directory name
>   global brufixTmpdir
>   if {([info exists brufixTmpdir] == 0) || ([string length $brufixTmpdir] == 0)} {
>     puts stderr "need to call brufixSetTmpdir before brufixGetTmpdir!"
>     exit 2
>   }
>   if {([file isdirectory $brufixTmpdir] == 0) || ([file exists $brufixTmpdir] == 0)} {
>     puts stderr "BRU temporary directory $brufixTmpdir does not exist!"
>     exit 3
>   }
>   return $brufixTmpdir
> }
> # early in the execution: make sure we have a good directory
> # this should only be called once!
> brufixSetTmpdir
> 
> On Fri, Sep 13, 2002 at 12:08:16PM +1200, prophecy@prophecy.net.nz wrote:
> 
> > Problem:
> 
> > Fix:
> >   - No response from vendor: (support@tolisgroup.com)
> 
> > Strace Snippet:
> > 
> > [pid 32159] execve("/bin/dd", ["dd", "if=/dev/nst0", 
> > "of=/tmp/xbru_dscheck.dd", "bs=32k", "count=1"], [/* 38 vars */]) = 0
> > [pid 32159] open("/tmp/xbru_dscheck.dd", 
> > O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 1
> 
>