oss-sec mailing list archives
caml-light insecure temporary files
From: David Holland <dholland-oss-security () netbsd org>
Date: Sun, 6 Nov 2011 20:09:11 +0000
I apologize for sending this out on a weekend... but I found out it accidentally got broadcast to one of our mailing lists so there's nothing much to be gained from waiting. And besides, it's neither particularly critical nor of particularly broad interest. Anyway. I don't know if anyone besides us still ships caml-light; it is long dead upstream and obsoleted by ocaml. AFAICT neither Debian nor Red Hat does. But just in case: it uses mktemp() insecurely, and also does unsafe things in /tmp during make install. Patches follow; reference URL (including copies of the patches) is http://gnats.netbsd.org/45558. I'm not sure it's worth allocating a CVE number for this if it turns out nobody else ships it. --- src/yacc/main.c~ 1995-06-07 09:34:32.000000000 -0400 +++ src/yacc/main.c @@ -1,4 +1,5 @@ #include <signal.h> +#include <stdlib.h> /* for mkstemp(), getenv() */ #include "defs.h" char dflag; @@ -31,6 +32,11 @@ char *text_file_name; char *union_file_name; char *verbose_file_name; +static int action_fd = -1; +static int entry_fd = -1; +static int text_fd = -1; +static int union_fd = -1; + FILE *action_file; /* a temp file, used to save actions associated */ /* with rules until the parser is written */ FILE *entry_file; @@ -69,9 +75,6 @@ char *rassoc; short **derives; char *nullable; -extern char *mktemp(); -extern char *getenv(); - done(k) int k; @@ -276,12 +279,21 @@ create_file_names() union_file_name[len + 5] = 'u'; #ifndef NO_UNIX - mktemp(action_file_name); - mktemp(entry_file_name); - mktemp(text_file_name); - mktemp(union_file_name); + action_fd = mkstemp(action_file_name); + entry_fd = mkstemp(entry_file_name); + text_fd = mkstemp(text_file_name); + union_fd = mkstemp(union_file_name); #endif + if (action_fd < 0) + open_error(action_file_name); + if (entry_fd < 0) + open_error(entry_file_name); + if (text_fd < 0) + open_error(text_file_name); + if (union_fd < 0) + open_error(union_file_name); + len = strlen(file_prefix); output_file_name = MALLOC(len + 7); @@ -321,15 +333,15 @@ open_files() open_error(input_file_name); } - action_file = fopen(action_file_name, "w"); + action_file = fdopen(action_fd, "w"); if (action_file == 0) open_error(action_file_name); - entry_file = fopen(entry_file_name, "w"); + entry_file = fdopen(entry_fd, "w"); if (entry_file == 0) open_error(entry_file_name); - text_file = fopen(text_file_name, "w"); + text_file = fdopen(text_fd, "w"); if (text_file == 0) open_error(text_file_name); @@ -345,7 +357,7 @@ open_files() defines_file = fopen(defines_file_name, "w"); if (defines_file == 0) open_error(defines_file_name); - union_file = fopen(union_file_name, "w"); + union_file = fdopen(union_fd, "w"); if (union_file == 0) open_error(union_file_name); } --- src/launch/Makefile~ 1995-02-22 04:33:26.000000000 -0500 +++ src/launch/Makefile @@ -10,19 +10,20 @@ all: camlc camllight camlmktop camlexec # Also, "make install" is done with root permissions, meaning that we don't # have write permission in the current directory if NFS-mounted... +# (echo "#!$(BINDIR)/camlrun"; \ +# echo "exit 2"; \ +# cat testprog) > /tmp/testscr +# chmod a+x /tmp/testscr +# sh -c 'if sh -c /tmp/testscr 2>/dev/null; \ +# then echo "#!$(BINDIR)/camlrun" > $(LIBDIR)/header; \ +# else cp camlexec $(LIBDIR)/header; \ +# fi' +# rm -f /tmp/testscr install: - (echo "#!$(BINDIR)/camlrun"; \ - echo "exit 2"; \ - cat testprog) > /tmp/testscr - chmod a+x /tmp/testscr - sh -c 'if sh -c /tmp/testscr 2>/dev/null; \ - then echo "#!$(BINDIR)/camlrun" > $(LIBDIR)/header; \ - else cp camlexec $(LIBDIR)/header; \ - fi' - rm -f /tmp/testscr + echo "#!$(BINDIR)/camlrun" > $(DESTDIR)$(LIBDIR)/header for script in camlc camllight camlmktop; do \ - cp $$script $(BINDIR)/$$script; \ - chmod a+x $(BINDIR)/$$script; \ + cp $$script $(DESTDIR)$(BINDIR)/$$script; \ + chmod a+x $(DESTDIR)$(BINDIR)/$$script; \ done SEDCOMMANDS=\ -- David A. Holland dholland () netbsd org
Current thread:
- caml-light insecure temporary files David Holland (Nov 06)
- Re: caml-light insecure temporary files Florian Weimer (Nov 06)
- Re: caml-light insecure temporary files Eitan Adler (Nov 06)
- Re: caml-light insecure temporary files David Holland (Nov 08)
- Re: caml-light insecure temporary files Kurt Seifried (Nov 06)
- Re: caml-light insecure temporary files Florian Weimer (Nov 06)