[11512] in bugtraq
Re: Insecure use of file in /tmp by trn
daemon@ATHENA.MIT.EDU (Richard Kettlewell)
Wed Aug 25 18:25:48 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14273.6252.678954.96374@chiark.greenend.org.uk>
Date: Mon, 23 Aug 1999 10:46:20 +0100
Reply-To: Richard Kettlewell <richardk@CHIARK.GREENEND.ORG.UK>
From: Richard Kettlewell <richardk@CHIARK.GREENEND.ORG.UK>
X-To: Rogier Wolff <R.E.Wolff@BITWIZARD.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <m2n.11IiGp-001OIO@chiark.greenend.org.uk>
Rogier Wolff writes:
> Martin Schulze wrote:
>> This was not intentional by the author, he tried to use tempfile(1) to
>> create the temporary filename. However, due to a thinko, the name was
>> hardcoded into the script.
> [...]
>> +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"
>
> So now you're using tempfile? This usually yields an easily
> predictable filename, for which the same exploits hold. Just keep
> an eye out for the last PID issued, and OK, this time you might need
> to flip a link (provided that tempfile indeed refuses to return a
> file that is currently symlinked.)
tempfile opens the chosen filename using O_CREAT|O_EXCL. If there is
a link there, this means it will get EEXIST. (What tempfile then does
is to pick another name and try again.)
So, I believe the proposed fix is safe.
ttfn/rjk
