From owner-freebsd-questions  Tue Jan  4 21:14:31 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20])
	by hub.freebsd.org (Postfix) with ESMTP id 7241F15113
	for <freebsd-questions@FreeBSD.ORG>; Tue,  4 Jan 2000 21:14:29 -0800 (PST)
	(envelope-from brdavis@orion.ac.hmc.edu)
Received: (from brdavis@localhost)
	by orion.ac.hmc.edu (8.8.8/8.8.8) id VAA03368;
	Tue, 4 Jan 2000 21:14:13 -0800 (PST)
Date: Tue, 4 Jan 2000 21:14:12 -0800
From: Brooks Davis <brooks@one-eyed-alien.net>
To: Alex Charalabidis <alex@wnm.net>
Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: warnings about mktemp() and gets()
Message-ID: <20000104211412.A2795@orion.ac.hmc.edu>
References: <Pine.BSI.4.05.10001042238420.12906-100000@earth.wnm.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre4i
In-Reply-To: <Pine.BSI.4.05.10001042238420.12906-100000@earth.wnm.net>; from alex@wnm.net on Tue, Jan 04, 2000 at 10:45:34PM -0600
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, Jan 04, 2000 at 10:45:34PM -0600, Alex Charalabidis wrote:
> I seem to be noticing increasing warnings like these when compiling:
> 
> librwclient.a(support.o): In function `get_edit':
> support.o(.text+0xeae): warning: this program uses gets(), which is
> unsafe.
> librwclient.a(support.o): In function `wkfile_write':
> support.o(.text+0x12a9): warning: mktemp() possibly used unsafely;
> consider using mkstemp()
> 
> These particular ones were for rwhois from the ports collection. I've seen
> the latter many times before, even during buildworlds. Is there any reason
> for concern and are any particular precautions in order?

Any program using gets() is a buffer overflow waiting to happen since
gets() has no idea how large the string it is trying to stuff input in
is.  If a program is connected to the network or has elevated privs
(SUID or SGID in perticular) this is quite bad.

mktemp() is subject to race conditions which could result in overwriting
files in temp without checking which could lead to overwriting arbitrary
files via symlink exploits.  I believe the suggested solution is to use
mkstemp() which is not subject to race conditions because it creates the
file instead of giving you its name.

-- Brooks

--
"Those who desire to give up freedom in order to gain security, will not
have, nor do they deserve, either one"
                                           --Thomas Jefferson 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message