Re: Tempfile vulnerabilities

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

That fix is not correct.

You're just hoping that if you can make a filename that noone can
guess, that you'll be the first person to open it?

I suggest you read the OpenBSD mkstemp(3) man page, and apply what
you learn there to perl code.  The only way to handle this correctly
is to use the O_CREAT|O_EXL flag on the final open system call.

Go back and read the stuff I've posted to bugtraq over the last three
years about /tmp races.  Everyone's just repeating the same mistakes.

> > > > > > foo <foo () BLACKLISTED INTRANOVA NET> writes:
>
> > In Autobuse's main perl script, line 96:
> >
> >         if(!$test_run) {
> >                 open OUT, ">/tmp/autobuse_report.$$"
> >                         or die "can't open /tmp/autobuse_report.$$";
> >                 select OUT;
> >         }
>
> This is fixed, partly, in autobuse version snap949125599, and more so
> in today's snap949380617, which uses this mktemp function:
>
>    sub get_tmpfile {
>        my $file;
>        do {
>          open RAN, "/dev/random" || die;
>          read(RAN,$foo,16);
>          close RAN;
>          $file = '/tmp/autobuse' . unpack('H16',$foo);
>        } while (-e $file || -l $file);
>
>        return $file;
>    }
>
> This method is Linux-specific, but that's all I need.  The fixed
> autobuse is available at http://www.picante.com/~gtaylor/autobuse/
>
> Note that Autobuse has, as far as I know, zero users (including me).
> If I am wrong about this, please let me know!
>
> --
> Grant Taylor - gtaylor at picante.com - http://www.picante.com/~gtaylor/
>     Linux Printing HOWTO:  http://www.picante.com/~gtaylor/pht/