From: "Larry W. Cashdollar" <lwc@Vapid.dhs.org> To: bugtraq@securityfocus.com Subject: Dangerous temp file creation during installation of Netscape 6. Date: Mon, 27 Aug 2001 13:55:27 -0400 (EDT) During installation of Netscape 6.01a for Solaris 2.7/8 Sparc, I noticed the file /tmp/admin.3842 was created with mode 644. As you already know if this package is installed by root in multiuser mode a malicious user could use this to overwrite system files etc.. Here is the dangerous code: # grep tmp ns6install cat >/tmp/admin.$$ <<EOF /usr/sbin/pkgrm -n -a /tmp/admin.$$ ${pkg}.* 2>&1 /usr/sbin/pkgadd -n -a /tmp/admin.$$ -d `pwd` $pkg 2>&1 # A temporary work around would be to shut the system down into single user mode, clean out /tmp and then install. In reference too: http://www.sun.com/solaris/netscape/index.html -- Larry http://vapid.dhs.org:8080