Full Disclosure mailing list archives
Re: arc insecure temporary file creation
From: Joey Schulze <joey () infodrom org>
Date: Tue, 20 Sep 2005 20:23:30 +0200
ZATAZ Audits wrote:
The vulnerability is caused due to temporary file being created insecurely. The temporary file used for archive creation could be read by untrusted users.
This is not just an information leak, but also a symlink vulnerability since the temporary file is created without ensuring that either it does not exist before or is owned by the same user, while it is placed in a usually publically writable directory. The following patch should fix both issues. --- arcsvc.c~ 2005-03-13 16:48:09.000000000 +0100 +++ arcsvc.c 2005-09-17 09:41:51.000000000 +0200 @@ -17,6 +17,9 @@ Computer Innovations Optimizing C86 */ #include <stdio.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> #include "arc.h" #if _MTS #include <mts.h> @@ -52,7 +55,12 @@ openarc(chg) /* open archive */ } #endif if (chg) { /* if opening for changes */ - if (!(new = fopen(newname, OPEN_W))) + int fd; + + if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR, S_IREAD|S_IWRITE)) == -1) + arcdie("Cannot create archive copy: %s", newname); + + if (!(new = fdopen(fd, OPEN_W))) arcdie("Cannot create archive copy: %s", newname); changing = chg; /* note if open for changes */ Regards, Joey -- Linux - the choice of a GNU generation. Please always Cc to me when replying to me on the lists. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- arc insecure temporary file creation ZATAZ Audits (Sep 16)
- Re: arc insecure temporary file creation Joey Schulze (Sep 20)