From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 2 Dec 2008 09:11:38 +0000 (+0100)
Subject: Fix for CVE-2008-4474
X-Git-Tag: release_2_1_2~8
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=freeradius.git;a=commitdiff_plain;h=ba8b7be030e0f756f9c7a10182ef0ab73ca458d1

Fix for CVE-2008-4474

Dialup-admin uses tmp files insecurely.  Since it isn't running
in a default install, this shouldn't be a major problem.

Patch from bug #605
---

diff --git a/dialup_admin/bin/clean_radacct b/dialup_admin/bin/clean_radacct
index 7ff8211..76ac4c8 100755
--- a/dialup_admin/bin/clean_radacct
+++ b/dialup_admin/bin/clean_radacct
@@ -5,6 +5,7 @@
 # Works with mysql and postgresql
 #
 use POSIX;
+use File::Temp;
 
 $conf=shift||'/usr/local/dialup_admin/conf/admin.conf';
 $back_days = 35;
@@ -42,11 +43,10 @@ if (POSIX::strftime("%Y-%m-%d %T",localtime) eq $date){
 
 $query = "DELETE FROM $sql_accounting_table WHERE AcctStopTime IS NULL AND AcctStartTime < '$date';";
 print "$query\n";
-open TMP, ">/tmp/clean_radacct.query"
-        or die "Could not open tmp file\n";
-print TMP $query;
-close TMP;
-$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database </tmp/clean_radacct.query" if ($sql_type eq 'mysql');
-$command = "$sqlcmd  -U $sql_username -f /tmp/clean_radacct.query $sql_database" if ($sql_type eq 'pg');
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/clean_radacct.query" if ($sql_type eq 'sqlrelay');
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
+print $fh $query;
+close $fh;
+$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
+$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
 `$command`;
diff --git a/dialup_admin/bin/log_badlogins b/dialup_admin/bin/log_badlogins
index d44dbb6..5a1ee99 100755
--- a/dialup_admin/bin/log_badlogins
+++ b/dialup_admin/bin/log_badlogins
@@ -14,6 +14,7 @@
 
 use Date::Manip qw(ParseDate UnixDate);
 use Digest::MD5;
+use File::Temp;
 $|=1;
 
 $file=shift||'none';
@@ -29,7 +30,8 @@ $all_file=shift||'no';
 # CHANGE THESE TO MATCH YOUR SETUP
 #
 #$regexp = 'from client localhost port 135|from client blabla ';
-$tmpfile='/var/tmp/sql.input';
+$tmpdir=tempdir( CLEANUP => 1 );
+$tmpfile="$tmpdir/sql.input";
 #
 $verbose = 0;
 #
diff --git a/dialup_admin/bin/monthly_tot_stats b/dialup_admin/bin/monthly_tot_stats
index 69bddc6..e3e7ea4 100755
--- a/dialup_admin/bin/monthly_tot_stats
+++ b/dialup_admin/bin/monthly_tot_stats
@@ -1,5 +1,6 @@
 #!/usr/bin/perl
 use POSIX;
+use File::Temp;
 
 # Log in the mtotacct table aggregated accounting information for
 # each user spaning in one month period.
@@ -51,14 +52,13 @@ $query2 = "INSERT INTO mtotacct (UserName,AcctDate,ConnNum,ConnTotDuration,
 	AcctDate <= '$date_end' GROUP BY UserName,NASIPAddress;";
 print "$query1\n";
 print "$query2\n";
-open TMP, ">/tmp/tot_stats.query"
-	or die "Could not open tmp file\n";
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
-print TMP $query1;
-print TMP $query2;
-close TMP;
-$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql');
-$command = "$sqlcmd  -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg');
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+print $fh $query1;
+print $fh $query2;
+close $fh;
+$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
+$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
 $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/tot_stats.query" if ($sql_type eq 'sqlrelay');
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
 `$command`;
diff --git a/dialup_admin/bin/tot_stats b/dialup_admin/bin/tot_stats
index bc3a472..a521485 100755
--- a/dialup_admin/bin/tot_stats
+++ b/dialup_admin/bin/tot_stats
@@ -1,5 +1,6 @@
 #!/usr/bin/perl
 use POSIX;
+use File::Temp;
 
 # Log in the totacct table aggregated daily accounting information for
 # each user.
@@ -48,14 +49,13 @@ $query2 = "INSERT INTO totacct (UserName,AcctDate,ConnNum,ConnTotDuration,
 	AcctStopTime < '$date_end' GROUP BY UserName,NASIPAddress;";
 print "$query1\n";
 print "$query2\n";
-open TMP, ">/tmp/tot_stats.query"
-	or die "Could not open tmp file\n";
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
-print TMP $query1;
-print TMP $query2;
-close TMP;
-$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql');
-$command = "$sqlcmd  -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg');
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+print $fh $query1;
+print $fh $query2;
+close $fh;
+$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
+$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
 $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/tot_stats.query" if ($sql_type eq 'sqlrelay');
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
 `$command`;
diff --git a/dialup_admin/bin/truncate_radacct b/dialup_admin/bin/truncate_radacct
index a2eb545..22d24fd 100755
--- a/dialup_admin/bin/truncate_radacct
+++ b/dialup_admin/bin/truncate_radacct
@@ -5,6 +5,7 @@
 # Works with mysql and postgresql
 #
 use POSIX;
+use File::Temp;
 
 $conf=shift||'/usr/local/dialup_admin/conf/admin.conf';
 $back_days = 90;
@@ -44,13 +45,12 @@ $query = "LOCK TABLES $sql_accounting_table WRITE;" if ($sql_type eq 'mysql');
 $query .= "DELETE FROM $sql_accounting_table WHERE AcctStopTime < '$date' AND AcctStopTime IS NOT NULL ;";
 $query .= "UNLOCK TABLES;" if ($sql_type eq 'mysql');
 print "$query\n";
-open TMP, ">/tmp/truncate_radacct.query"
-        or die "Could not open tmp file\n";
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
-print TMP $query;
-close TMP;
-$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database </tmp/truncate_radacct.query" if ($sql_type eq 'mysql');
-$command = "$sqlcmd  -U $sql_username -f /tmp/truncate_radacct.query $sql_database" if ($sql_type eq 'pg');
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+print $fh $query;
+close $fh;
+$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
+$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
 $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/truncate_radacct.query" if ($sql_type eq 'sqlrelay');
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
 `$command`;