Bugtraq mailing list archives
XFree86 4.0.1 and /tmp
From: jsm28 () CAM AC UK (Joseph S. Myers)
Date: Sun, 2 Jul 2000 22:00:04 +0100
When XFree86 4.0.1 is installed from source on Linux, it creates ".so" man page aliases as temporary files in /tmp, which then get installed under /usr/X11R6/man. (Imake.rules, InstallManPageAliases.) The temporary filename is determined from the process id; it is removed before being overwritten, but shell redirection without noclobber is used and the process id is predictable so the race should not be difficult to win. The install from source would normally run as root. TMPDIR is not honoured. This problem has been in XFree86 for a long time. There are several other /tmp problems in XFree86: gccmakedep (shell script) uses /tmp insecurely, although on the 3.3.x branch it uses mktemp(1); imake, on Linux only, uses tmpnam(3) insecurely when determining the libc version (and, in 4.0, imake had a regression from 3.3.x with insecure use of mktemp(3); this has been fixed in 4.0.1); xman uses mktemp(3) insecurely; both versions of libXaw use tmpnam(3) and show no signs of using O_EXCL (but I'm not sure under what circumstances Xaw actually uses temporary files). It doesn't seem any of these will follow TMPDIR either. All these problems were reported to XFree86 in March after the release of XFree86 4.0. -- Joseph S. Myers jsm28 () cam ac uk
Current thread:
- Re: WuFTPD: Providing *remote* root since at least1994 Alan J Rosenthal (Jun 30)
- <Possible follow-ups>
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- XFree86 4.0.1 and /tmp Joseph S. Myers (Jul 02)
- BitchX - more on format bugs? Forever shall I be. (Jul 03)
- BitchX exploit possibly waiting to happen, certain DoS bert hubert (Jul 03)
- Re: BitchX exploit possibly waiting to happen, certain DoS Daniel Jacobowitz (Jul 05)
- remote crash BitchX 1.0c16 Colten Edwards (Jul 03)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
(Thread continues...)