[13650] in bugtraq
Re: Tempfile vulnerabilities
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Wed Feb 2 01:41:26 2000
Message-Id: <200002012215.PAA25388@cvs.openbsd.org>
Date: Tue, 1 Feb 2000 15:15:37 -0700
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Grant Taylor <gtaylor+bugtraq_hcdbb013100@PICANTE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Mon, 31 Jan 2000 23:55:18 EST."
<200002010455.XAA20677@pace.picante.com>
That fix is not correct.
You're just hoping that if you can make a filename that noone can
guess, that you'll be the first person to open it?
I suggest you read the OpenBSD mkstemp(3) man page, and apply what
you learn there to perl code. The only way to handle this correctly
is to use the O_CREAT|O_EXL flag on the final open system call.
Go back and read the stuff I've posted to bugtraq over the last three
years about /tmp races. Everyone's just repeating the same mistakes.
> >>>>> foo <foo@BLACKLISTED.INTRANOVA.NET> writes:
>
> > In Autobuse's main perl script, line 96:
> >
> > if(!$test_run) {
> > open OUT, ">/tmp/autobuse_report.$$"
> > or die "can't open /tmp/autobuse_report.$$";
> > select OUT;
> > }
>
> This is fixed, partly, in autobuse version snap949125599, and more so
> in today's snap949380617, which uses this mktemp function:
>
> sub get_tmpfile {
> my $file;
> do {
> open RAN, "/dev/random" || die;
> read(RAN,$foo,16);
> close RAN;
> $file = '/tmp/autobuse' . unpack('H16',$foo);
> } while (-e $file || -l $file);
>
> return $file;
> }
>
> This method is Linux-specific, but that's all I need. The fixed
> autobuse is available at http://www.picante.com/~gtaylor/autobuse/
>
> Note that Autobuse has, as far as I know, zero users (including me).
> If I am wrong about this, please let me know!
>
> --
> Grant Taylor - gtaylor at picante.com - http://www.picante.com/~gtaylor/
> Linux Printing HOWTO: http://www.picante.com/~gtaylor/pht/
