oss-sec mailing list archives

Isearch insecure temporary files

From: David Holland <dholland-oss-security () netbsd org>
Date: Fri, 21 Dec 2012 11:05:58 +0000

NetBSD pkgsrc ships an old text search package called Isearch, which I
found tonight (in the course of making it compile with a modernish C++
compiler) to contain garden-variety /tmp races.

Does anyone else ship it? I don't think this is worth a CVE unless
someone does; the package appears to be dead upstream.

http://gnats.netbsd.org/47360 for reference; the relevant portions of
the patches cited follow.

--- doctype/anzmeta.cxx~        2000-10-11 14:02:15.000000000 +0000
+++ doctype/anzmeta.cxx
@@ -1446,9 +1448,21 @@ ANZMETA::Present (const RESULT& ResultRe
            } else {
              STRING s_cmd;
              //CHR* c_cmd;
-             CHR *TmpName;
+             CHR TmpName[64];
+             int fd;
 
-             TmpName = tempnam("/tmp", "mpout");
+             strcpy(TmpName, "/tmp/mpoutXXXXXX");
+             fd = mkstemp(TmpName);
+             if (fd < 0) {
+                /*
+                 * Apparently failure is not an option here, so
+                 * proceed in a way that at least won't be insecure.
+                 */
+                strcpy(TmpName, "/dev/null");
+             }
+             else {
+                close(fd);
+             }
 
           cout << "[ANZMETA::Present] no docs found, so build Fly cmd" << endl;
 
--- doctype/fgdc.cxx~   2000-09-06 18:20:30.000000000 +0000
+++ doctype/fgdc.cxx
@@ -1824,10 +1826,22 @@ FGDC::Present (const RESULT& ResultRecor
              return;
            } else {
              STRING s_cmd;
-             CHR *TmpName;
-
-             TmpName = tempnam("/tmp", "mpout");
+             CHR TmpName[64];
+             int fd;
 
+             strcpy(TmpName, "/tmp/mpoutXXXXXX");
+             fd = mkstemp(TmpName);
+             if (fd < 0) {
+                /*
+                 * Apparently failure is not an option here, so
+                 * proceed in a way that at least won't be insecure.
+                 */
+                strcpy(TmpName, "/dev/null");
+             }
+             else {
+                close(fd);
+             }
+             
              BuildCommandLine(mpCommand, HoldFilename, RecordSyntax, 
                               TmpName, &s_cmd);
              system(s_cmd);
--- src/marc.cxx.orig   1998-05-12 16:49:10.000000000 +0000
+++ src/marc.cxx
@@ -194,9 +194,15 @@ MARC::GetPrettyBuffer(STRING *Buffer)
 {
   /*
   // Cheese, cheese, cheese;-)
-  char *tempfile = tempnam("/tmp", "marc");
+  char tempfile[32];
+  strcpy(tempfile, "/tmp/marcXXXXXX");
+  int tempfd = mkstemp(tempfile);
+  if (tempfd < 0) {
+    *Buffer = "MARC::GetPrettyBuffer() failed to open temp file";
+    return;
+  }
   FILE *fp;
-  if((fp = fopen(tempfile, "w")) == NULL) {
+  if((fp = fdopen(tempfd, "w")) == NULL) {
     *Buffer = "MARC::GetPrettyBuffer() failed to open temp file";
     return;
   }
-- 
David A. Holland
dholland () netbsd org

Current thread:

Isearch insecure temporary files David Holland (Dec 21)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 21)
  - Re: Isearch insecure temporary files David Holland (Dec 21)
    - Re: Isearch insecure temporary files Kurt Seifried (Dec 29)
    - Re: Isearch insecure temporary files Henri Salo (Dec 30)
    - Re: Isearch insecure temporary files Kurt Seifried (Dec 30)