Bugtraq mailing list archives
Xinetd /tmp race?
From: julian7 () KVA HU (Balazs Nagy)
Date: Wed, 11 Nov 1998 03:28:03 +0100
Hiyas, If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but this method isn't checked against /tmp, and it happily overwrites anything in the place of that file. The package has been released in 1997, IMHO this is too old to have a bug of this kind hidden. BTW here's the patch: diff -ruN xinetd-2.2.1.orig/xinetd/internals.c xinetd-2.2.1/xinetd/internals.c --- xinetd-2.2.1.orig/xinetd/internals.c Sun Nov 8 13:28:00 1998 +++ xinetd-2.2.1/xinetd/internals.c Sun Nov 8 13:27:33 1998 @@ -55,7 +55,14 @@ register int fd ; register unsigned u ; char *func = "dump_internal_state" ; + struct stat sb; + if (!(stat(dump_file, &sb)==-1&&errno==ENOENT)&&(!S_ISREG(sb.st_mode)||sb.st_nlink>1)) + { + msg( LOG_ERR, func, "failed to open %s: maybe a vulnerable link", dump_file ) ; + return ; + } + dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND, DUMP_FILE_MODE ) ; if ( dump_fd == -1 ) { -- Linux Supporting Center -- Red Hat Qmail packages -- http://lsc.kva.hu PGP 0x1DE3631D / A8 B4 92 EE 1F 55 27 C8 86 64 9C 42 41 A4 BD B8
Current thread:
- Xinetd /tmp race? Balazs Nagy (Nov 10)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)
- Re: SCO World Script Vulnerabilities Joe (Nov 12)
- WARNING: Another ICQ IP address vulnerability Mnemonix (Nov 11)
- Citadel security exploits? Stout, Bill (Nov 11)
- Re: Xinetd /tmp race? Wayne Schroeder (Nov 11)
- Re: Xinetd /tmp race? Glynn Clements (Nov 11)
- <Possible follow-ups>
- Re: Xinetd /tmp race? Jesús Cea Avión (Nov 12)
- Re: Xinetd /tmp race? Glynn Clements (Nov 12)
- Re: Xinetd /tmp race? Casper Dik (Nov 14)
- Re: Xinetd /tmp race? Marc Heuse (Nov 13)
(Thread continues...)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)