[8254] in bugtraq
Re: SVGATextMode 1.8 /tmp race
daemon@ATHENA.MIT.EDU (dumped)
Fri Oct 23 14:52:18 1998
Date: Thu, 22 Oct 1998 12:34:22 -0200
Reply-To: dumped <dumped@SEKURE.ORG>
From: dumped <dumped@SEKURE.ORG>
X-To: Adrian Voinea <root@DEATH.GDS.RO>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.03.9910212252050.848-100000@Death.GdS.RO>
On Thu, 21 Oct 1999, Adrian Voinea wrote:
> Hello,
> savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
> mode data in /tmp, in two files with the mode 644:
>
> [/tmp]
> root@Death# ls -lA
> total 1
> drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/
>
> [/tmp]
> root@Death# savetextmode
> svgalib: Using S3 driver (Trio64, 4096K).
> svgalib: s3: chipsets newer than S3-864 is not supported well yet.
> svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz
>
> [/tmp]
> root@Death# ls -lA
> total 35
> drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/
> -rw-r--r-- 1 root gods 32768 Oct 21 22:56 fontdata
> -rw-r--r-- 1 root gods 385 Oct 21 22:56 textregs
>
> Also, I would like to add that savetextmode accepts no parameters.
> So... any user on the system that knows that the root is using
> SVGATextMode could link any of the files to a file that he wants to be
> overwritten.
> The e-mail is cc-ed to the maker of SVGATextMode, koen.gadeyne@barco.com.
>
diff -Nur svgalib-1.3.1.buggy/utils/savetextmode svgalib-1.3.1/utils/savetextmode
--- svgalib-1.3.1.buggy/utils/savetextmode Sat Aug 2 03:37:15 1997
+++ svgalib-1.3.1/utils/savetextmode Thu Oct 22 12:25:50 1998
@@ -1,3 +1,3 @@
#!/bin/sh
-restoretextmode -w /tmp/textregs
-restorefont -w /tmp/fontdata
+restoretextmode -w `mktemp /tmp/textregs.XXXXXX`
+restorefont -w `mktemp /tmp/fontdata.XXXXXX`
Stupid.
dumped
http://www.sekure.org
Sekure/Uground Ind.
