Re: arc insecure temporary file creation

[Joey Schulze <joey () infodrom org>]

ZATAZ Audits wrote:
> The vulnerability is caused due to temporary file being created insecurely.
> The temporary file used for archive creation could be read by untrusted 
> users.

This is not just an information leak, but also a symlink vulnerability
since the temporary file is created without ensuring that either it
does not exist before or is owned by the same user, while it is placed
in a usually publically writable directory.

The following patch should fix both issues.

--- arcsvc.c~   2005-03-13 16:48:09.000000000 +0100
+++ arcsvc.c    2005-09-17 09:41:51.000000000 +0200
@@ -17,6 +17,9 @@
         Computer Innovations Optimizing C86
 */
 #include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 #include "arc.h"
 #if    _MTS
 #include <mts.h>
@@ -52,7 +55,12 @@ openarc(chg)                 /* open archive */
        }
 #endif
        if (chg) {              /* if opening for changes */
-               if (!(new = fopen(newname, OPEN_W)))
+               int fd;
+
+               if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR, S_IREAD|S_IWRITE)) == -1)
+                       arcdie("Cannot create archive copy: %s", newname);
+
+               if (!(new = fdopen(fd, OPEN_W)))
                        arcdie("Cannot create archive copy: %s", newname);
 
        changing = chg;         /* note if open for changes */

Regards,

        Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/