Re: Insecure use of file in /tmp by trn

From: Richard Kettlewell (richardkat_private)
Date: Mon Aug 23 1999 - 02:46:20 PDT

Next message: STEVENS, Eric: "Re: IE 5.0 allows executing programs"

Previous message: Eivind Eklund: "Re: profil(2) bug, a simple test program"
Maybe in reply to: Martin Schulze: "Insecure use of file in /tmp by trn"
Next in thread: Martin Schulze: "Re: Insecure use of file in /tmp by trn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rogier Wolff writes:
> Martin Schulze wrote:

>> This was not intentional by the author, he tried to use tempfile(1) to
>> create the temporary filename.  However, due to a thinko, the name was
>> hardcoded into the script.
> [...]
>> +#NNTPactive=\`tempfile -p active\`   #"/tmp/active.\$\$"
>
> So now you're using tempfile? This usually yields an easily
> predictable filename, for which the same exploits hold.  Just keep
> an eye out for the last PID issued, and OK, this time you might need
> to flip a link (provided that tempfile indeed refuses to return a
> file that is currently symlinked.)

tempfile opens the chosen filename using O_CREAT|O_EXCL.  If there is
a link there, this means it will get EEXIST.  (What tempfile then does
is to pick another name and try again.)

So, I believe the proposed fix is safe.

ttfn/rjk

Next message: STEVENS, Eric: "Re: IE 5.0 allows executing programs"
Previous message: Eivind Eklund: "Re: profil(2) bug, a simple test program"
Maybe in reply to: Martin Schulze: "Insecure use of file in /tmp by trn"
Next in thread: Martin Schulze: "Re: Insecure use of file in /tmp by trn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:24 PDT