Shorewall 1.4.10f

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1420 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-08 08:44:05 +01:00 · 2004-06-28 18:49:16 +00:00 · 2004-06-28 18:49:16 +00:00 · ce7ce85d32
commit ce7ce85d32
parent 62445a7b5a
13 changed files with 1390 additions and 1592 deletions
--- a/Lrp/sbin/shorewall
+++ b/Lrp/sbin/shorewall
@ -109,7 +109,7 @@ showfirstchain() # $1 = name of chain
    /^Chain/	 {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
    /Chain '$1'/ { prnt=1; }; \
 		 { if (prnt == 1)  print; };\
-    END		 { exit rslt; }' /tmp/chains-$$
+    END		 { exit rslt; }' $TMPFILE
 }

 showchain() # $1 = name of chain
@ -124,7 +124,7 @@ showchain() # $1 = name of chain
 	/^$|^ pkts/  { next; };\
 	/^Chain/     {if ( prnt == 1 ) exit; };\
 	/Chain '$1'/ { prnt=1; };\
-		     { if (prnt == 1)  print; }' /tmp/chains-$$
+		     { if (prnt == 1)  print; }' $TMPFILE
    fi
 }

@ -169,14 +169,18 @@ get_config() {
 #
 display_chains()
 {
-    trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
+    trap "rm -f $TMPFILE; exit 1" 1 2 3 4 5 6 9

    if [ "$haveawk" = "Yes" ]; then
 	#
 	# Send the output to a temporary file since ash craps if we try to store
 	# the output in a variable.
 	#
-	iptables -L -n -v > /tmp/chains-$$
+	TMPFILE=$(mktempfile)
+
+	[ -n "$TMPFILE" ] || { echo "Cannot create a temporary file" >&2; exit 2; }
+
+	iptables -L -n -v >> $TMPFILE

 	clear
 	echo "$banner `date`"
@ -197,7 +201,7 @@ display_chains()
 	echo "Input Chains"
 	echo

-	chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
+	chains=`grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2`

 	for chain in $chains; do
 	    showchain $chain
@ -207,7 +211,7 @@ display_chains()

 	for zone in $zones; do

-	    if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
+	    if [ -n "`grep "^Chain \.*${zone}" $TMPFILE`" ] ; then
 		clear
 		echo "$banner `date`"
 		echo
@ -257,7 +261,7 @@ display_chains()
 	showchain dynamic
 	timed_read

-	qt rm -f /tmp/chains-$$
+	qt rm -f $TMPFILE
    else
 	iptables -L -n -v
 	timed_read
@ -373,8 +377,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that


    if qt which awk; then
-	TMP_DIR=/tmp/shorewall-$$
-	mkdir $TMP_DIR
+	TMP_DIR=$(mktempdir)
+	[ -n "$TMP_DIR" ] || { echo "Unable to create a temporary directory" >&2; exit 2; }
 	haveawk=Yes
 	determine_zones
 	rm -rf $TMP_DIR
@ -897,7 +901,7 @@ case "$1" in
 	[ $# -ne 1 ] && usage 1
 	mutex_on
 	if qt iptables -L shorewall -n; then
-	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
+	    [ -d /var/lib/shorewall ] || { mkdir /var/lib/shorewall; chmod 700 /var/lib/shorewall; }

 	    if iptables -L dynamic -n > /var/lib/shorewall/save; then
 		echo "Dynamic Rules Saved"
--- a/Lrp/usr/share/shorewall/firewall
+++ b/Lrp/usr/share/shorewall/firewall
--- a/Lrp/usr/share/shorewall/functions
+++ b/Lrp/usr/share/shorewall/functions
@ -175,6 +175,69 @@ mutex_off()
    rm -f $STATEDIR/lock
 }

+#
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp=`which mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		mkdir $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		echo "   ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp /tmp/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f /tmp/shorewall-$$
+		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
+		;;
+	    *)
+		echo "   ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
+
 #
 # Read a file and handle "INCLUDE" directives
 #
--- a/Lrp/usr/share/shorewall/version
+++ b/Lrp/usr/share/shorewall/version
@ -1 +1 @@
-1.4.10a
+1.4.10f
--- a/Lrp/var/lib/lrpkg/shorwall.version
+++ b/Lrp/var/lib/lrpkg/shorwall.version
@ -1 +1 @@
-1.4.10a
+1.4.10f
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=1.4.10e
+VERSION=1.4.10f

 usage() # $1 = exit status
 {
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -5568,13 +5568,6 @@ do_initialize() {
    nonat_seq=1
    aliases_to_add=

-    TMP_DIR=/tmp/shorewall-$$
-    rm -rf $TMP_DIR
-    mkdir -p $TMP_DIR && chmod 700 $TMP_DIR || \
-       startup_error "Can't create $TMP_DIR"
-
-    trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
-
    FUNCTIONS=$SHARED_DIR/functions

    if [ -f $FUNCTIONS ]; then
@ -5584,6 +5577,13 @@ do_initialize() {
 	startup_error "$FUNCTIONS does not exist!"
    fi

+    TMP_DIR=$(mktempdir)
+
+    [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
+       startup_error "Can't create a temporary directory"
+
+    trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
+
    VERSION_FILE=$SHARED_DIR/version

    [ -f $VERSION_FILE ] && version=`cat $VERSION_FILE`
--- a/STABLE/functions
+++ b/STABLE/functions
@ -175,6 +175,69 @@ mutex_off()
    rm -f $STATEDIR/lock
 }

+#
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp=`which mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		mkdir $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		echo "   ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp /tmp/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f /tmp/shorewall-$$
+		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
+		;;
+	    *)
+		echo "   ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
+
 #
 # Read a file and handle "INCLUDE" directives
 #
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #

-VERSION=1.4.10e
+VERSION=1.4.10f

 usage() # $1 = exit status
 {
--- a/STABLE/shorewall
+++ b/STABLE/shorewall
@ -109,7 +109,7 @@ showfirstchain() # $1 = name of chain
    /^Chain/	 {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
    /Chain '$1'/ { prnt=1; }; \
 		 { if (prnt == 1)  print; };\
-    END		 { exit rslt; }' /tmp/chains-$$
+    END		 { exit rslt; }' $TMPFILE
 }

 showchain() # $1 = name of chain
@ -124,7 +124,7 @@ showchain() # $1 = name of chain
 	/^$|^ pkts/  { next; };\
 	/^Chain/     {if ( prnt == 1 ) exit; };\
 	/Chain '$1'/ { prnt=1; };\
-		     { if (prnt == 1)  print; }' /tmp/chains-$$
+		     { if (prnt == 1)  print; }' $TMPFILE
    fi
 }

@ -169,14 +169,18 @@ get_config() {
 #
 display_chains()
 {
-    trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
+    trap "rm -f $TMPFILE; exit 1" 1 2 3 4 5 6 9

    if [ "$haveawk" = "Yes" ]; then
 	#
 	# Send the output to a temporary file since ash craps if we try to store
 	# the output in a variable.
 	#
-	iptables -L -n -v > /tmp/chains-$$
+	TMPFILE=$(mktempfile)
+
+	[ -n "$TMPFILE" ] || { echo "Cannot create a temporary file" >&2; exit 2; }
+
+	iptables -L -n -v >> $TMPFILE

 	clear
 	echo "$banner `date`"
@ -197,7 +201,7 @@ display_chains()
 	echo "Input Chains"
 	echo

-	chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
+	chains=`grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2`

 	for chain in $chains; do
 	    showchain $chain
@ -207,7 +211,7 @@ display_chains()

 	for zone in $zones; do

-	    if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
+	    if [ -n "`grep "^Chain \.*${zone}" $TMPFILE`" ] ; then
 		clear
 		echo "$banner `date`"
 		echo
@ -257,7 +261,7 @@ display_chains()
 	showchain dynamic
 	timed_read

-	qt rm -f /tmp/chains-$$
+	qt rm -f $TMPFILE
    else
 	iptables -L -n -v
 	timed_read
@ -373,8 +377,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that


    if qt which awk; then
-	TMP_DIR=/tmp/shorewall-$$
-	mkdir $TMP_DIR
+	TMP_DIR=$(mktempdir)
+	[ -n "$TMP_DIR" ] || { echo "Unable to create a temporary directory" >&2; exit 2; }
 	haveawk=Yes
 	determine_zones
 	rm -rf $TMP_DIR
@ -897,7 +901,7 @@ case "$1" in
 	[ $# -ne 1 ] && usage 1
 	mutex_on
 	if qt iptables -L shorewall -n; then
-	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
+	    [ -d /var/lib/shorewall ] || { mkdir /var/lib/shorewall; chmod 700 /var/lib/shorewall; }

 	    if iptables -L dynamic -n > /var/lib/shorewall/save; then
 		echo "Dynamic Rules Saved"
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.10e
+%define version 1.4.10f
 %define release 1
 %define prefix /usr

@ -109,6 +109,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel

 %changelog
+* Mon Jun 28 2004 Tom Eastep <tom@shorewall.net>
+- Changed version to 1.4.10f-1
 * Tue Apr 13 2004 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.10e-1
 * Tue Mar 16 2004 Tom Eastep <tom@shorewall.net>
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall

-VERSION=1.4.10e
+VERSION=1.4.10f

 usage() # $1 = exit status
 {
--- a/Shorewall-docs/errata.xml
+++ b/Shorewall-docs/errata.xml
@ -13,7 +13,7 @@
      </author>
    </authorgroup>

-    <pubdate>2004-04-16</pubdate>
+    <pubdate>2004-06-28</pubdate>

    <copyright>
      <year>2001-2004</year>
@ -115,9 +115,15 @@ DNAT        z1!z2,z3       z4:192.168.4.5   tcp        22</programlisting></para
          <para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
          and IPSEC has been corrected.</para>
        </listitem>
+
+        <listitem>
+          <para>A potentially exploitable vulnerability in the way that
+          Shorewall handles temporary files and directories has been found by
+          Javier Fernández-Sanguino Peña.</para>
+        </listitem>
      </itemizedlist>

-      <para>These problems have been corrected in <ulink
+      <para>The first seven problems have been corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/1.4.10/firewall">this
      firewall script</ulink> which may be installed in
      /usr/share/shorewall/firewall as described above.</para>
@ -134,7 +140,10 @@ DNAT        z1!z2,z3       z4:192.168.4.5   tcp        22</programlisting></para
      <para>The first six problem corrections were included in Shorewall
      update 1.4.10d.</para>

-      <para>All problem corrections were included in Shorewall update 1.4.10e.</para>
+      <para>The first seven problems corrections were included in Shorewall
+      update 1.4.10e;</para>
+
+      <para>All problem corrections were included in Shorewall update 1.4.10f.</para>
    </section>

    <section>
 @ -1 +1 @@
 .4.10a
 .4.10f