[2468] in bugtraq
Re: mailx-5.5 (slackware /bin/mail) security hole
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Sat Dec 23 23:50:06 1995
Date: Sat, 23 Dec 1995 18:29:43 -0500
Reply-To: Bugtraq List <BUGTRAQ@crimelab.com>
From: "Theodore Ts'o" <tytso@MIT.EDU>
X-To: linux-security@tarsier.cv.nrao.edu
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com>
In-Reply-To: David J Meltzer's message of Fri, 22 Dec 1995 17:35:01 -0500
(EST), <Akqn_Jy00iVE44P1Zx@andrew.cmu.edu>
My, the more things change, the more things stay the same. This is an
*old*, *old*, **old** vulnerability. In fact, it's so old that BSD 4.3
(back when dinosaurs prowled the earth :-), introduced the mkstemp()
call to deal with this vulnerability.
int mkstemp(char *template)
Works just like mktemp(), but it returns a file descriptor which is open
for reading and writing. This file descriptor is guaranteed to belong
to a fresly created file. mkstemp() is already in the Linux libc, for
BSD compatibility --- it's just a matter of modifying existing programs
to use it.
It would probably be a good idea for future descriptions of this particular
security problem also included the a fix for getting around this
problem. Using mkstemp(), where available, is a fine way to fix the
problem. If it's not available, it's not terribly hard to write a
mkstemp() function, or to simply use mktemp and open the file with the
O_CREAT and O_EXCL flags.
Regarding the denial of service attack if there are more than 62
conflicting file names --- this sounds like a bug in mktemp() to me! It
clearly should be using a better algorithm if that's all it takes to
trip it up.
- Ted
