[6327] in bugtraq
Re: Another day, another race - lynx 2.7.1
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Tue Mar 17 17:52:52 1998
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Date: Tue, 17 Mar 1998 19:03:34 +0100
Reply-To: Thomas Roessler <roessler@GUUG.DE>
From: Thomas Roessler <roessler@GUUG.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980317152338.14878A-100000@genome>
On Tue, Mar 17, 1998 at 03:39:58PM +0100, Michal Zalewski wrote:
> Lynx's /tmp file creation procedure is so poor that it isn't the only
> vunerability.
> Source code details/fix:
> In LYUtils.c, they written their own function to make tmp filename, c=
alled
> tempname. How it works:
> sprintf(namebuffer,"%sL%d%uTMP.html",lynx_temp_space,getpid(),counter=
++);
Actually, lynx is using LYNX_TEMP_SPACE instead of TMPDIR,
so setting that one to $HOME/.tmp (or whatever your
favorite place is) should help against that temp race.
(Yes, I know that this isn't the real fix, but it's a
quick workaround.)
On a related topic, H. P. Anvin's magicfilter 1.2 package
contains yet another /tmp race. The fix (replacing tmpnam
&& fopen by mkstemp && fdopen is trivial), so I don't
include it.
Please note that this problem is especially dangerous,
since magicfilter will run as root on a typical
installation.
tlr
--
Thomas Roessler =B7 74a353cc0b19 =B7 dg1ktr =B7 http://home.pages.de/~r=
oessler/
2048/CE6AC6C1 =B7 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1
