oss-sec mailing list archives
Re: Isearch insecure temporary files
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 21 Dec 2012 10:26:57 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2012 04:05 AM, David Holland wrote:
NetBSD pkgsrc ships an old text search package called Isearch, which I found tonight (in the course of making it compile with a modernish C++ compiler) to contain garden-variety /tmp races. Does anyone else ship it? I don't think this is worth a CVE unless someone does; the package appears to be dead upstream.
This is similar to http://seclists.org/oss-sec/2012/q4/142 Ideally we need some way to mark software as dead/unsafe/don't use. I don't know what the answer is though (does someone maintain a blacklist? who decides? etc.).
http://gnats.netbsd.org/47360 for reference; the relevant portions of the patches cited follow.
Yeah that's pretty classic /tmp vulns. Please use CVE-2012-5663 for this issue.
--- doctype/anzmeta.cxx~ 2000-10-11 14:02:15.000000000 +0000 +++ doctype/anzmeta.cxx @@ -1446,9 +1448,21 @@ ANZMETA::Present (const RESULT& ResultRe } else { STRING s_cmd; //CHR* c_cmd; - CHR *TmpName; + CHR TmpName[64]; + int fd; - TmpName = tempnam("/tmp", "mpout"); + strcpy(TmpName, "/tmp/mpoutXXXXXX"); + fd = mkstemp(TmpName); + if (fd < 0) { + /* + * Apparently failure is not an option here, so + * proceed in a way that at least won't be insecure. + */ + strcpy(TmpName, "/dev/null"); + } + else { + close(fd); + } cout << "[ANZMETA::Present] no docs found, so build Fly cmd" << endl; --- doctype/fgdc.cxx~ 2000-09-06 18:20:30.000000000 +0000 +++ doctype/fgdc.cxx @@ -1824,10 +1826,22 @@ FGDC::Present (const RESULT& ResultRecor return; } else { STRING s_cmd; - CHR *TmpName; - - TmpName = tempnam("/tmp", "mpout"); + CHR TmpName[64]; + int fd; + strcpy(TmpName, "/tmp/mpoutXXXXXX"); + fd = mkstemp(TmpName); + if (fd < 0) { + /* + * Apparently failure is not an option here, so + * proceed in a way that at least won't be insecure. + */ + strcpy(TmpName, "/dev/null"); + } + else { + close(fd); + } + BuildCommandLine(mpCommand, HoldFilename, RecordSyntax, TmpName, &s_cmd); system(s_cmd); --- src/marc.cxx.orig 1998-05-12 16:49:10.000000000 +0000 +++ src/marc.cxx @@ -194,9 +194,15 @@ MARC::GetPrettyBuffer(STRING *Buffer) { /* // Cheese, cheese, cheese;-) - char *tempfile = tempnam("/tmp", "marc"); + char tempfile[32]; + strcpy(tempfile, "/tmp/marcXXXXXX"); + int tempfd = mkstemp(tempfile); + if (tempfd < 0) { + *Buffer = "MARC::GetPrettyBuffer() failed to open temp file"; + return; + } FILE *fp; - if((fp = fopen(tempfile, "w")) == NULL) { + if((fp = fdopen(tempfd, "w")) == NULL) { *Buffer = "MARC::GetPrettyBuffer() failed to open temp file"; return; }
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ1JvdAAoJEBYNRVNeJnmTECoP/1MoTbtK3rDPjqww7CZHmPNv e3holkb4Pf9ksE1cI8N/dQJsceSbl6QGJbN3K3D44gRvELI4d+WUmmzZBVJUmWxO gEgeMrbTcpTYlARwNa7U7saMW0yNIx8JXA1KFmVGik/cEyb4vfV0TezRU6YtUrhA ubwNURoxyNaIofcTW5SKLvS9DAbBYa9UhdZzbJFd7ECAU1SuPZJ/MBScwzY5OAwt Sa2u870/pnrUkkFUoSGgmNGOys3ZlTz306IdOUEFdf4LvTbYsWPGKI/yOjIH/SGS gFyOmPGrD9D0FY8XDyWV+AczTZB1JAD7EonapmlHvfrT0urq6pJDoRprsZBDxdNy jeKgzkzdqTXncrf7UDH2TobHSzgULvOrk4iw+jQSkKebiWTRl14W5LhM7XLciz7V lLJWsghteeHDUrsXrQo0DET8Pp0GnOISIPWdL8t9mqAjjHTMZMzIrmHeSht2Hw3i CKHdbi76fTdsJPFRxWZtD1izoA1LELK6iNoxeNQwFNHvwtykhXmE5P/DRwTzvu9v E7IAe7A/1PT88CXK/tRf1oAic4gGDAJszKUBmklpH+ofafJOPRNTt3PComxO3xKr JfjFRr/R9zOw+MPgmlocCdIj6q3qAm0eKffkyy20pjmJP7V3zzdhNfNCi6EfmEfp xZUppQSnc3JVbv7nYq3s =r14p -----END PGP SIGNATURE-----
Current thread:
- Isearch insecure temporary files David Holland (Dec 21)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 21)
- Re: Isearch insecure temporary files David Holland (Dec 21)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 29)
- Re: Isearch insecure temporary files Henri Salo (Dec 30)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 30)
- Re: Isearch insecure temporary files David Holland (Dec 21)
- Re: Isearch insecure temporary files Kurt Seifried (Dec 21)