Re: mailx-5.5 (slackware /bin/mail) security hole

[tytso () MIT EDU (Theodore Ts'o)]

My, the more things change, the more things stay the same.  This is an
*old*, *old*, **old** vulnerability.  In fact, it's so old that BSD 4.3
(back when dinosaurs prowled the earth :-), introduced the mkstemp()
call to deal with this vulnerability.

int mkstemp(char *template)

Works just like mktemp(), but it returns a file descriptor which is open
for reading and writing.  This file descriptor is guaranteed to belong
to a fresly created file.  mkstemp() is already in the Linux libc, for
BSD compatibility --- it's just a matter of modifying existing programs
to use it.

It would probably be a good idea for future descriptions of this particular
security problem also included the a fix for getting around this
problem.  Using mkstemp(), where available, is a fine way to fix the
problem.  If it's not available, it's not terribly hard to write a
mkstemp() function, or to simply use mktemp and open the file with the
O_CREAT and O_EXCL flags.

Regarding the denial of service attack if there are more than 62
conflicting file names --- this sounds like a bug in mktemp() to me!  It
clearly should be using a better algorithm if that's all it takes to
trip it up.

                                                - Ted