From owner-freebsd-bugs  Sat Jan 13 23:40:03 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id XAA19350
          for bugs-outgoing; Sat, 13 Jan 1996 23:40:03 -0800 (PST)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id XAA19336
          Sat, 13 Jan 1996 23:40:01 -0800 (PST)
Date: Sat, 13 Jan 1996 23:40:01 -0800 (PST)
Message-Id: <199601140740.XAA19336@freefall.freebsd.org>
To: freebsd-bugs
Cc: 
From: Bruce Evans <bde@zeta.org.au>
Subject: Re: ports/944: Security fixes for Fvwm 1.24r
Reply-To: Bruce Evans <bde@zeta.org.au>
Sender: owner-bugs@FreeBSD.ORG
Precedence: bulk

The following reply was made to PR ports/944; it has been noted by GNATS.

From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@FreeBSD.org, smpatel@sl-009.sl.cybercomm.net
Cc:  Subject: Re: ports/944: Security fixes for Fvwm 1.24r
Date: Sun, 14 Jan 1996 18:31:18 +1100

 >>Description:
 
 >Security problems with mktemp race condition.
 >From Linux Security FAQ Update #10
 
 >There is a good bit of stuff done between the mktemp() and the actual usage of
 >the temporary file, so this bug is not very difficult to exploit.  This bug
 >could allow another local user to execute commands as you, when you start FVWM.
 
 BSD provides mkstemp() to handle this problem properly.  I'm not sure of
 it's history, but it is old enough to be in FreeBSD-1.1.5.
 
 I tried exploiting the bug in mktemp() pointed out by Josh the other day
 (mk[s]temp() uses stat(), not lstat(), so mktemp() can return a filename
 that is a symlink.  This doesn't seem to be a problem for mkstemp()
 since O_EXCL in the open flags stop all (?) existing directory entries
 from being openable).
 
 >+    /* make a directory to guard against following symlinks */
 >+    if (mkdir(tmp_name, 0700) != 0) {
 >+      perror("exclusive open for tmp_name failed in m4_defs");
 >+      exit(0377);
 >+    }
 >+    strcat(tmp_name, "/data"); /* what actual tmp file is to be called */
 
 I think the O_EXCL method is better.  Except of course if you really
 want a directory or another type of non-regular file.  It's surprisingly
 hard to get the interface for temporary file [name] creation right.
 FreeBSD has 5 BAD interfaces: tempnam(), tmpfile(), tmpnam(), mktemp()
 and mkstemp().
 
 Bruce