Date: Sat, 13 Jan 1996 21:45:02 -0500 From: Sujal Patel <smpatel@sl-009.sl.cybercomm.net> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/944: Security fixes for Fvwm 1.24r Message-ID: <199601140245.VAA00630@sl-009.sl.cybercomm.net> Resent-Message-ID: <199601140250.SAA06470@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 944
>Category: ports
>Synopsis: Security fixes for Fvwm 1.24r
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jan 13 18:50:01 PST 1996
>Last-Modified:
>Originator: Sujal Patel
>Organization:
>Release: FreeBSD 2.2-CURRENT i386
>Environment:
FreeBSD 2.1+
>Description:
Security problems with mktemp race condition.
>From Linux Security FAQ Update #10
There is a good bit of stuff done between the mktemp() and the actual usage of
the temporary file, so this bug is not very difficult to exploit. This bug
could allow another local user to execute commands as you, when you start FVWM.
>How-To-Repeat:
>Fix:
This should take care of it. This is a slightly cleaned up version of
the fix by Debian/GNU Linux.
diff -ur old/fvwm-1.24r/fvwm/configure.c new/fvwm-1.24r/fvwm/configure.c
--- old/fvwm-1.24r/fvwm/configure.c Tue Nov 15 09:02:27 1994
+++ new/fvwm-1.24r/fvwm/configure.c Sat Jan 13 20:59:52 1996
@@ -1976,6 +1976,8 @@
char *vc; /* Visual Class */
FILE *tmpf;
struct passwd *pwent;
+ int fd;
+
/* Generate a temporary filename. Honor the TMPDIR environment variable,
if set. Hope nobody deletes this file! */
@@ -1984,14 +1986,21 @@
} else {
strcpy(tmp_name, "/tmp");
}
- strcat(tmp_name, "/fvwmrcXXXXX");
- mktemp(tmp_name);
+ strcat(tmp_name, "/fvwmrcXXXXXX");
+ vc = mktemp(tmp_name);
- if (*tmp_name == '\0')
+ if (vc == NULL)
{
perror("mktemp failed in m4_defs");
exit(0377);
}
+
+ /* make a directory to guard against following symlinks */
+ if (mkdir(tmp_name, 0700) != 0) {
+ perror("exclusive open for tmp_name failed in m4_defs");
+ exit(0377);
+ }
+ strcat(tmp_name, "/data"); /* what actual tmp file is to be called */
/*
* Create the appropriate command line to run m4, and
diff -ur old/fvwm-1.24r/fvwm/fvwm.c new/fvwm-1.24r/fvwm/fvwm.c
--- old/fvwm-1.24r/fvwm/fvwm.c Tue Nov 15 09:02:52 1994
+++ new/fvwm-1.24r/fvwm/fvwm.c Sat Jan 13 20:57:49 1996
@@ -874,11 +874,19 @@
if (m4_enable)
{
extern char *fvwm_file;
+ char *p;
/* With m4 processing, a temporary file was created to hold the
processed file. Delete the file now because we don't need it
any more. It will be created again during restart. */
unlink(fvwm_file);
+ /* get rid of directory it was in as well, since that was created to
+ secure access to the file */
+ p = strrchr(fvwm_file, '/');
+ if (p!=NULL)
+ *p='\0'; /* chop off last component of fvwm_file */
+ if (rmdir(fvwm_file)!=0)
+ fprintf(stderr, "Couldn't rmdir %s\n", fvwm_file);
}
#endif
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601140245.VAA00630>