Re: Isearch insecure temporary files

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/21/2012 04:05 AM, David Holland wrote:
> NetBSD pkgsrc ships an old text search package called Isearch,
> which I found tonight (in the course of making it compile with a
> modernish C++ compiler) to contain garden-variety /tmp races.
>
> Does anyone else ship it? I don't think this is worth a CVE unless 
> someone does; the package appears to be dead upstream.

This is similar to http://seclists.org/oss-sec/2012/q4/142

Ideally we need some way to mark software as dead/unsafe/don't use. I
don't know what the answer is though (does someone maintain a
blacklist? who decides? etc.).

> http://gnats.netbsd.org/47360 for reference; the relevant portions
> of the patches cited follow.

Yeah that's pretty classic /tmp vulns. Please use CVE-2012-5663 for
this issue.

> --- doctype/anzmeta.cxx~      2000-10-11 14:02:15.000000000 +0000 +++
> doctype/anzmeta.cxx @@ -1446,9 +1448,21 @@ ANZMETA::Present (const
> RESULT& ResultRe } else { STRING s_cmd; //CHR* c_cmd; -             CHR
> *TmpName; +         CHR TmpName[64]; +              int fd;
>
> -           TmpName = tempnam("/tmp", "mpout"); +           strcpy(TmpName,
> "/tmp/mpoutXXXXXX"); +              fd = mkstemp(TmpName); +        if (fd
> < 0) { +               /* +             * Apparently failure is not an option here, so +
> * proceed in a way that at least won't be insecure. +           */ +
> strcpy(TmpName, "/dev/null"); +             } +             else { +
> close(fd); +        }
>
> cout << "[ANZMETA::Present] no docs found, so build Fly cmd" <<
> endl;
>
> --- doctype/fgdc.cxx~ 2000-09-06 18:20:30.000000000 +0000 +++
> doctype/fgdc.cxx @@ -1824,10 +1826,22 @@ FGDC::Present (const
> RESULT& ResultRecor return; } else { STRING s_cmd; -        CHR
> *TmpName; - -       TmpName = tempnam("/tmp", "mpout"); +           CHR
> TmpName[64]; +              int fd;
>
> +           strcpy(TmpName, "/tmp/mpoutXXXXXX"); +          fd =
> mkstemp(TmpName); +         if (fd < 0) { +            /* +             * Apparently
> failure is not an option here, so +             * proceed in a way that at
> least won't be insecure. +              */ +           strcpy(TmpName, "/dev/null"); 
> +           } +             else { +           close(fd); +         } + 
> BuildCommandLine(mpCommand, HoldFilename, RecordSyntax, TmpName,
> &s_cmd); system(s_cmd); --- src/marc.cxx.orig 1998-05-12
> 16:49:10.000000000 +0000 +++ src/marc.cxx @@ -194,9 +194,15 @@
> MARC::GetPrettyBuffer(STRING *Buffer) { /* // Cheese, cheese,
> cheese;-) -  char *tempfile = tempnam("/tmp", "marc"); +  char
> tempfile[32]; +  strcpy(tempfile, "/tmp/marcXXXXXX"); +  int tempfd
> = mkstemp(tempfile); +  if (tempfd < 0) { +    *Buffer =
> "MARC::GetPrettyBuffer() failed to open temp file"; +    return; +
> } FILE *fp; -  if((fp = fopen(tempfile, "w")) == NULL) { +  if((fp
> = fdopen(tempfd, "w")) == NULL) { *Buffer =
> "MARC::GetPrettyBuffer() failed to open temp file"; return; }


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ1JvdAAoJEBYNRVNeJnmTECoP/1MoTbtK3rDPjqww7CZHmPNv
e3holkb4Pf9ksE1cI8N/dQJsceSbl6QGJbN3K3D44gRvELI4d+WUmmzZBVJUmWxO
gEgeMrbTcpTYlARwNa7U7saMW0yNIx8JXA1KFmVGik/cEyb4vfV0TezRU6YtUrhA
ubwNURoxyNaIofcTW5SKLvS9DAbBYa9UhdZzbJFd7ECAU1SuPZJ/MBScwzY5OAwt
Sa2u870/pnrUkkFUoSGgmNGOys3ZlTz306IdOUEFdf4LvTbYsWPGKI/yOjIH/SGS
gFyOmPGrD9D0FY8XDyWV+AczTZB1JAD7EonapmlHvfrT0urq6pJDoRprsZBDxdNy
jeKgzkzdqTXncrf7UDH2TobHSzgULvOrk4iw+jQSkKebiWTRl14W5LhM7XLciz7V
lLJWsghteeHDUrsXrQo0DET8Pp0GnOISIPWdL8t9mqAjjHTMZMzIrmHeSht2Hw3i
CKHdbi76fTdsJPFRxWZtD1izoA1LELK6iNoxeNQwFNHvwtykhXmE5P/DRwTzvu9v
E7IAe7A/1PT88CXK/tRf1oAic4gGDAJszKUBmklpH+ofafJOPRNTt3PComxO3xKr
JfjFRr/R9zOw+MPgmlocCdIj6q3qAm0eKffkyy20pjmJP7V3zzdhNfNCi6EfmEfp
xZUppQSnc3JVbv7nYq3s
=r14p
-----END PGP SIGNATURE-----