[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : tcsh/csh creates insecure temporary file

Title: tcsh/csh creates insecure temporary file
Released by: FreeBSD
Date: 20th November 2000
Printable version: Click here


FreeBSD-SA-00:76                                            Security Advisory

                                                                FreeBSD, Inc.

Topic:          tcsh/csh creates insecure temporary file

Category:       core, ports

Module:         tcsh, 44bsd-csh

Announced:      2000-11-20

Affects:        FreeBSD 4.x, 3.x prior to the correction date.

Corrected:      2000-11-04 (FreeBSD 4.1.1-STABLE)

                2000-11-05 (FreeBSD 3.5.1-STABLE)

2000-11-09 (44bsd-csh port)

2000-11-19 (tcsh port)

Credits: proton 

FreeBSD only:   NO

I.   Background

tcsh is an updated version of the traditional BSD C Shell

(csh).  Versions of csh and tcsh are included in the FreeBSD ports

collection (tcsh, 44bsd-csh) and the FreeBSD base system (csh, tcsh).

II.  Problem Description

The csh and tcsh code creates temporary files when the '<<' operator

is used, however these are created insecurely and use a predictable

filename based on the process ID of the shell.  An attacker can

exploit this vulnerability to overwrite an arbitrary file writable by

the user running the shell.  The contents of the file are overwritten

with the text being entered using the '<<' operator, so it will

usually not be under the control of the attacker.

Therefore the likely impact of this vulnerability is a denial of

service since the attacker can cause critical files writable by the

user to be overwritten.  It is unlikely, although possible depending

on the circumstances in which the '<<' operator is used, that the

attacker could exploit the vulnerability to gain privileges (this

typically requires that they have control over the contents the target

file is overwritten with).

All versions of FreeBSD prior to the correction date are vulnerable to

this problem: the /bin/csh shell included in the base system (which is

the same as /bin/tcsh in recent versions) as well as the tcsh

(versions prior to 6.09.03_1) and 44bsd-csh ports (versions prior to

44bsd-csh-20001106) in the ports collection.  The problems with the

base system shells and the 44bsd-csh port were resolved prior to the

release of FreeBSD 4.2.  The tcsh port was not fixed prior to the

release, but the port is disabled in FreeBSD 4.2 since the same

software exists in the base system.

III. Impact

Unprivileged local users can cause an arbitrary file writable by a

victim to be overwritten when the victim invokes the '<<' operator in

csh or tcsh (e.g. from within a shell script).

If you have not installed the tcsh or 44bsd-csh ports on your

4.1.1-STABLE system dated after the correction date, your system is

not vulnerable to this problem.

IV.  Workaround

None practical.

V.   Solution

Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the

correction date, or patch your present system source code and


To patch your present system: download the relevant patch from the

below location, and execute the following commands as root:

[FreeBSD 4.x base system]

# fetch http://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch

# fetch http://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch.asc

Verify the detached PGP signature using your PGP utility.

cd /usr/src/contrib/tcsh

patch -p < /path/to/patch

cd /usr/src/bin/csh

make depend && make all install

[FreeBSD 3.x base system]

# fetch http://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch

# fetch http://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch.asc

Verify the detached PGP signature using your PGP utility.

cd /usr/src/bin/csh

patch -p < /path/to/patch

make depend && make all install

[Ports collection]

One of the following:

1) Upgrade your entire ports collection and rebuild the tcsh/44bsd-csh


2) Deinstall the old package and install a new package dated after the

correction date, obtained from:













3) download a new port skeleton for the tcsh/44bsd-csh port from:


and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above.  The

portcheckout port is available in /usr/ports/devel/portcheckout or the

package can be obtained from:







Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org







(C) 1999-2000 All rights reserved.