1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
X-From-Line: crp22@cam.ac.uk Wed Jan 26 19:30:09 2000
Return-Path: <owner@bugs.debian.org>
Delivered-To: david@someotherplace.org
Received: from master.debian.org (master.debian.org [209.41.108.5])
by moe.coe.woodbine.md.us (Postfix) with SMTP id 4496D6863
for <david.coe@someotherplace.org>; Wed, 26 Jan 2000 19:33:28 +0000 (UTC)
Received: (qmail 22469 invoked by uid 1227); 26 Jan 2000 19:33:26 -0000
Subject: Bug#56266: [PATCH] ispell /tmp races
Reply-To: Colin Phipps <crp22@cam.ac.uk>, 56266@bugs.debian.org
Resent-From: Colin Phipps <crp22@cam.ac.uk>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: david.coe@someotherplace.org (David L. Coe)
Resent-Date: Wed, 26 Jan 2000 19:33:23 GMT
Resent-Message-ID: <handler.56266.B.94891503121115@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 56266
X-Debian-PR-Package: ispell
X-Debian-PR-Keywords:
X-Loop: owner@bugs.debian.org
Received: via spool by bugs@bugs.debian.org id=B.94891503121115
(code B ref -1); Wed, 26 Jan 2000 19:33:23 GMT
From: Colin Phipps <crp22@cam.ac.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Reportbug-Version: 0.48
X-Mailer: reportbug 0.48
Date: Wed, 26 Jan 2000 19:30:09 +0000
X-Gnus-Mail-Source: pop:david@localhost
Message-Id: <E12DY8n-0000JW-00@crp22.trin.cam.ac.uk>
Status:
X-Content-Length: 3758
Lines: 97
Xref: newt bugs.debian.org.owner:5
Package: ispell
Version: 3.1.20-4
Severity: important
There are two race conditions in ispell's creation of temporary files, which
could be exploited to damage user data. Both are in ispell.c dofile():
1) The temporary filename is chosen with mktemp, then fopen'd. The gap
between chosing the name and opening it could allow an attacker to place a
symlink there, pointing to a file which ispell would then truncate. This
mktemp(3) weakness is documented in the libc docs.
2) The file is created with world writable permissions, and chmod'ed to the
perms of the file being read only afterwards. Again, in the intervening time
an attacker could insert data to the file.
The fix is easy, use mkstemp which is precisely for this purpose:
*** ispell.c Wed Jan 26 18:28:58 2000
--- ispell.c.new Wed Jan 26 18:45:03 2000
*************** static void dofile (filename)
*** 818,823 ****
--- 818,824 ----
{
struct stat statbuf;
char * cp;
+ int fh;
currentfile = filename;
*************** static void dofile (filename)
*** 859,867 ****
(void) fstat (fileno (infile), &statbuf);
(void) strcpy (tempfile, TEMPNAME);
! if (mktemp (tempfile) == NULL || tempfile[0] == '\0'
! || (outfile = fopen (tempfile, "w")) == NULL)
{
(void) fprintf (stderr, CANT_CREATE,
(tempfile == NULL || tempfile[0] == '\0')
? "temporary file" : tempfile);
--- 860,868 ----
(void) fstat (fileno (infile), &statbuf);
(void) strcpy (tempfile, TEMPNAME);
! if (((fh = mkstemp(tempfile)) == -1) || ((outfile = fdopen(fh, "w")) == NULL))
{
+ if (fh != -1) close(fh);
(void) fprintf (stderr, CANT_CREATE,
(tempfile == NULL || tempfile[0] == '\0')
? "temporary file" : tempfile);
This cures both problems at once; mkstemp creates the file with O_EXCL so it
will never overwrite an existing file, and it sets initial permissions 0600.
Final note: setting the temporary file to the same permissions as the
original is a false step IMHO. If the original is world writable, this will
make the temporary file world writable, but there is no good reason to do
so. Also, the fact that the original is world writable doesn't mean it was
accessible to everyone who can see /tmp, but it becomes so when ispell'd.
-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux crp22 2.2.15pre3 #1 Thu Jan 20 17:25:32 GMT 2000 i686
Versions of packages ispell depends on:
ii libc6 2.1.2-11 GNU C Library: Shared libraries an
ii libncurses4 4.2-6 Shared libraries for terminal hand
|
