oss-sec mailing list archives
Isearch insecure temporary files
From: David Holland <dholland-oss-security () netbsd org>
Date: Fri, 21 Dec 2012 11:05:58 +0000
NetBSD pkgsrc ships an old text search package called Isearch, which I found tonight (in the course of making it compile with a modernish C++ compiler) to contain garden-variety /tmp races. Does anyone else ship it? I don't think this is worth a CVE unless someone does; the package appears to be dead upstream. http://gnats.netbsd.org/47360 for reference; the relevant portions of the patches cited follow. --- doctype/anzmeta.cxx~ 2000-10-11 14:02:15.000000000 +0000 +++ doctype/anzmeta.cxx @@ -1446,9 +1448,21 @@ ANZMETA::Present (const RESULT& ResultRe } else { STRING s_cmd; //CHR* c_cmd; - CHR *TmpName; + CHR TmpName[64]; + int fd; - TmpName = tempnam("/tmp", "mpout"); + strcpy(TmpName, "/tmp/mpoutXXXXXX"); + fd = mkstemp(TmpName); + if (fd < 0) { + /* + * Apparently failure is not an option here, so + * proceed in a way that at least won't be insecure. + */ + strcpy(TmpName, "/dev/null"); + } + else { + close(fd); + } cout << "[ANZMETA::Present] no docs found, so build Fly cmd" << endl; --- doctype/fgdc.cxx~ 2000-09-06 18:20:30.000000000 +0000 +++ doctype/fgdc.cxx @@ -1824,10 +1826,22 @@ FGDC::Present (const RESULT& ResultRecor return; } else { STRING s_cmd; - CHR *TmpName; - - TmpName = tempnam("/tmp", "mpout"); + CHR TmpName[64]; + int fd; + strcpy(TmpName, "/tmp/mpoutXXXXXX"); + fd = mkstemp(TmpName); + if (fd < 0) { + /* + * Apparently failure is not an option here, so + * proceed in a way that at least won't be insecure. + */ + strcpy(TmpName, "/dev/null"); + } + else { + close(fd); + } + BuildCommandLine(mpCommand, HoldFilename, RecordSyntax, TmpName, &s_cmd); system(s_cmd); --- src/marc.cxx.orig 1998-05-12 16:49:10.000000000 +0000 +++ src/marc.cxx @@ -194,9 +194,15 @@ MARC::GetPrettyBuffer(STRING *Buffer) { /* // Cheese, cheese, cheese;-) - char *tempfile = tempnam("/tmp", "marc"); + char tempfile[32]; + strcpy(tempfile, "/tmp/marcXXXXXX"); + int tempfd = mkstemp(tempfile); + if (tempfd < 0) { + *Buffer = "MARC::GetPrettyBuffer() failed to open temp file"; + return; + } FILE *fp; - if((fp = fopen(tempfile, "w")) == NULL) { + if((fp = fdopen(tempfd, "w")) == NULL) { *Buffer = "MARC::GetPrettyBuffer() failed to open temp file"; return; } -- David A. Holland dholland () netbsd org
Current thread:
- Isearch insecure temporary files David Holland (Dec 21)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 21)
- Re: Isearch insecure temporary files David Holland (Dec 21)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 29)
- Re: Isearch insecure temporary files Henri Salo (Dec 30)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 30)
- Re: Isearch insecure temporary files David Holland (Dec 21)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 21)