On Thu, Jul 12, Cy Schubert - ITSD Open Systems Group wrote: > I don't know whether the commercial version (2.4) has this bug (haven't > installed it yet, though as the free version is probably based on the > commercial version, I suspect (guess) it might be. I have reported the tempfile issue to tripwire back in January. I was under the impression that (then upcoming 2.4) would have this fixed. I haven't checked if it fixes the bug, but AFAIK it has the TEMPDIRECTORY config option so you can use 'safe' temp directory. > And for Tripwire-2.3.1 the patch is: > --- src/core/unix/unixfsservices.cpp.orig Sat Feb 24 11:02:12 2001 > +++ src/core/unix/unixfsservices.cpp Tue Jul 10 21:40:37 2001 > @@ -243,6 +243,7 @@ > { > char* pchTempFileName; > char szTemplate[MAXPATHLEN]; > + int fd; > > #ifdef _UNICODE > // convert template from wide character to multi-byte string > @@ -253,13 +254,14 @@ > strcpy( szTemplate, strName.c_str() ); > #endif > > - // create temp filename > - pchTempFileName = mktemp( szTemplate ); > + // create temp filename and check to see if mkstemp failed > + if ((fd = mkstemp( szTemplate )) == -1) { > + throw eFSServicesGeneric( strName ); > + } else { > + close(fd); > + } > + pchTempFileName = szTemplate; > > - //check to see if mktemp failed > - if ( pchTempFileName == NULL || strlen(pchTempFileName) == 0) { > - throw eFSServicesGeneric( strName ); > - } > > // change name so that it has the XXXXXX part filled in > #ifdef _UNICODE If you look a little below you'll see a call to FileDelete(strName); So first you create a file with mkstemp and then unlink it. And because cFileArchive::OpenReadWrite(line 708) then opens the same file(name) without O_EXCL there still is a race. So I don't think this is a sufficient fix. You should make cFileArchive::OpenReadWrite use O_EXCL. I have --> untested <-- patch (probably fails horribly ;-) for this: http://www.uku.fi/~jhuuskon/Patches/tripwire-2.3.1-2-O_EXCL.patch > We haven't had a chance to install the commercial version yet, however > if the commercial version is vulnerable (I've notified TripwireSecurity > of the possibility and I'm betting dollars to donuts that is might be) > a possible workaround would be to create a shared library with a > function named mktemp which would call mkstemp() as in the patches > above, then execute tripwire using LD_PRELOAD to load the mktemp > wrapper. Back in january the binary tripwire 2.2.1 for linux was statically compiled / linked. Can you use LD_PRELOAD with static executables ? -Jarno -- Jarno Huuskonen <Jarno.Huuskonenat_private>
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 22:02:22 PDT