Hi Jeff,
All I can give you is what I found on the cert site:
When performing the "<<" redirection, /bin/sh creates a temporary file in /tmp with a name based on the process id, writes subsequent input out to that file, and then closes the file before re-opening it as the standard input of the command to be executed. At no stage are the results of the creat(), write(), or open() calls checked for an error status.
II. Impact
It is possible for another user to alter what is read from this file.
If the sticky bit is not set on /tmp, the file can be simply removed, and a new file created in its place
If the sticky bit is set, then it is possible to guess what the file will be called and create it before /bin/sh does (the creat() call performed by the shell does not result in an open() call with O_EXCL set) and hence it is possible to maintain a handle on the underlying file.
If a fifo is created in place of the temporary file it is particularly easy to insert an extra command into the input transparently, and without having to worry about ensuring the bug is exploited during the narrow window of time in which it occurs.
Even without reading, creating this file may block the execution of commands using the << operator.
It may also be possible to create a symbolic link named as the temporary file and pointed to any other file on the system writable by the user of the shell, which may lead to corruption of the file to which the link is pointed.
Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
