From owner-freebsd-bugs Sat Jan 13 18:50:05 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id SAA06476 for bugs-outgoing; Sat, 13 Jan 1996 18:50:05 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id SAA06470 Sat, 13 Jan 1996 18:50:03 -0800 (PST) Resent-Date: Sat, 13 Jan 1996 18:50:03 -0800 (PST) Resent-Message-Id: <199601140250.SAA06470@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, smpatel@wam.umd.edu Received: from sl-009.sl.cybercomm.net (sl-009.sl.cybercomm.net [199.171.196.137]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id SAA06334 for ; Sat, 13 Jan 1996 18:45:11 -0800 (PST) Received: (from smpatel@localhost) by sl-009.sl.cybercomm.net (8.6.12/8.6.12) id VAA00630; Sat, 13 Jan 1996 21:45:02 -0500 Message-Id: <199601140245.VAA00630@sl-009.sl.cybercomm.net> Date: Sat, 13 Jan 1996 21:45:02 -0500 From: Sujal Patel Reply-To: smpatel@wam.umd.edu To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/944: Security fixes for Fvwm 1.24r Sender: owner-bugs@freebsd.org Precedence: bulk >Number: 944 >Category: ports >Synopsis: Security fixes for Fvwm 1.24r >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jan 13 18:50:01 PST 1996 >Last-Modified: >Originator: Sujal Patel >Organization: >Release: FreeBSD 2.2-CURRENT i386 >Environment: FreeBSD 2.1+ >Description: Security problems with mktemp race condition. >From Linux Security FAQ Update #10 There is a good bit of stuff done between the mktemp() and the actual usage of the temporary file, so this bug is not very difficult to exploit. This bug could allow another local user to execute commands as you, when you start FVWM. >How-To-Repeat: >Fix: This should take care of it. This is a slightly cleaned up version of the fix by Debian/GNU Linux. diff -ur old/fvwm-1.24r/fvwm/configure.c new/fvwm-1.24r/fvwm/configure.c --- old/fvwm-1.24r/fvwm/configure.c Tue Nov 15 09:02:27 1994 +++ new/fvwm-1.24r/fvwm/configure.c Sat Jan 13 20:59:52 1996 @@ -1976,6 +1976,8 @@ char *vc; /* Visual Class */ FILE *tmpf; struct passwd *pwent; + int fd; + /* Generate a temporary filename. Honor the TMPDIR environment variable, if set. Hope nobody deletes this file! */ @@ -1984,14 +1986,21 @@ } else { strcpy(tmp_name, "/tmp"); } - strcat(tmp_name, "/fvwmrcXXXXX"); - mktemp(tmp_name); + strcat(tmp_name, "/fvwmrcXXXXXX"); + vc = mktemp(tmp_name); - if (*tmp_name == '\0') + if (vc == NULL) { perror("mktemp failed in m4_defs"); exit(0377); } + + /* make a directory to guard against following symlinks */ + if (mkdir(tmp_name, 0700) != 0) { + perror("exclusive open for tmp_name failed in m4_defs"); + exit(0377); + } + strcat(tmp_name, "/data"); /* what actual tmp file is to be called */ /* * Create the appropriate command line to run m4, and diff -ur old/fvwm-1.24r/fvwm/fvwm.c new/fvwm-1.24r/fvwm/fvwm.c --- old/fvwm-1.24r/fvwm/fvwm.c Tue Nov 15 09:02:52 1994 +++ new/fvwm-1.24r/fvwm/fvwm.c Sat Jan 13 20:57:49 1996 @@ -874,11 +874,19 @@ if (m4_enable) { extern char *fvwm_file; + char *p; /* With m4 processing, a temporary file was created to hold the processed file. Delete the file now because we don't need it any more. It will be created again during restart. */ unlink(fvwm_file); + /* get rid of directory it was in as well, since that was created to + secure access to the file */ + p = strrchr(fvwm_file, '/'); + if (p!=NULL) + *p='\0'; /* chop off last component of fvwm_file */ + if (rmdir(fvwm_file)!=0) + fprintf(stderr, "Couldn't rmdir %s\n", fvwm_file); } #endif >Audit-Trail: >Unformatted: