Bugtraq mailing list archives
Re: Another day, another race - lynx 2.7.1
From: roessler () GUUG DE (Thomas Roessler)
Date: Tue, 17 Mar 1998 19:03:34 +0100
On Tue, Mar 17, 1998 at 03:39:58PM +0100, Michal Zalewski wrote:
Lynx's /tmp file creation procedure is so poor that it isn't the only vunerability.
Source code details/fix:
In LYUtils.c, they written their own function to make tmp filename, called tempname. How it works:
sprintf(namebuffer,"%sL%d%uTMP.html",lynx_temp_space,getpid(),counter++);
Actually, lynx is using LYNX_TEMP_SPACE instead of TMPDIR, so setting that one to $HOME/.tmp (or whatever your favorite place is) should help against that temp race. (Yes, I know that this isn't the real fix, but it's a quick workaround.) On a related topic, H. P. Anvin's magicfilter 1.2 package contains yet another /tmp race. The fix (replacing tmpnam && fopen by mkstemp && fdopen is trivial), so I don't include it. Please note that this problem is especially dangerous, since magicfilter will run as root on a typical installation. tlr -- Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/ 2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1
Current thread:
- Ascend Kill II - C version Aleph One (Mar 16)
- Ascend Filter Setup Mark Schaefer (Mar 16)
- Bash: Security problem during compilation time. Alexandre Stervinou (Mar 16)
- Another day, another race - lynx 2.7.1 Michal Zalewski (Mar 17)
- Ascend Kill II - perl version Kit Knox (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Thomas Roessler (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Theo de Raadt (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Daniel Reed (Mar 17)
- Re: LinCity Buffer Overflow John Goerzen (Mar 17)
- Very, very ugly remote lynx 2.7.1 hole Michal Zalewski (Mar 17)
- Re: Very, very ugly remote lynx 2.7.1 hole Lumpy Lynx (Mar 17)