[11501] in bugtraq
Re: Insecure use of file in /tmp by trn
daemon@ATHENA.MIT.EDU (Martin Schulze)
Tue Aug 24 19:25:02 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990823005756.T29569@finlandia.infodrom.north.de>
Date: Mon, 23 Aug 1999 00:57:57 +0200
Reply-To: Martin Schulze <joey@infodrom.north.de>
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
X-To: Rogier Wolff <R.E.Wolff@BitWizard.nl>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908211547.RAA01512@cave.BitWizard.nl>; from Rogier Wolff on
Sat, Aug 21, 1999 at 05:47:37PM +0200
Rogier Wolff wrote:
> Martin Schulze wrote:
> > This was not intentional by the author, he tried to use tempfile(1) to
> > create the temporary filename. However, due to a thinko, the name was
> > hardcoded into the script.
> [...]
> > +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"
>
> So now you're using tempfile? This usually yields an easily
No, but now we're using tempfile in a proper way. In the original source
code it was used like:
NNTPactive=`tempfile -p active`
that lead into this code in /usr/bin/newsgroups
active=/tmp/activea98b82
This was hardcoded and predictable, thus very bad. Now the program
/usr/bin/newsgroups contains this line:
active=`tempfile -p active`
which will use /tmp/active9292s for the first call and /tmp/active9x92y
for the second call. tempfile will also check if the file exists and
use a different name otherwise, and will create the file so it can
be used by scripts later on. This is ought to be safe.
> predictable filename, for which the same exploits hold. Just keep an
> eye out for the last PID issued, and OK, this time you might need to
> flip a link (provided that tempfile indeed refuses to return a file
> that is currently symlinked.)
It does refuse. However there is a small chance that it only
does this in Debian, but I don't hope so.
Regards,
Joey
--
A mathematician is a machine for converting coffee into theorems.
