======Dangerous temp file creation during installation of Netscape 6====== //10/1/2001//

During installation of Netscape 6.01a for Solaris 2.7/8 Sparc, I noticed the file /tmp/admin.3842 was created with mode 644. As you already know if this package is installed by root in multiuser mode a malicious user could use this to overwrite system files etc..

Here is the dangerous code:

# grep tmp ns6install

       cat >/tmp/admin.$$ <<EOF 
       /usr/sbin/pkgrm -n -a /tmp/admin.$$ ${pkg}.* 2>&1 
       /usr/sbin/pkgadd -n -a /tmp/admin.$$ -d `pwd` $pkg 2>&1 

A temporary work around would be to shut the system down into single user mode, clean out /tmp and then install.

In reference too:

http://www.sun.com/solaris/netscape/index.html http://www.securityfocus.com/bid/3243