Date: Mon, 10 Aug 1998 20:49:24 -0400 (EDT) From: tstrombe@rtci.com To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/7565: Security fix for perl vidfont/kbdmap, spkrtest Message-ID: <199808110049.UAA24496@deity.darkening.com>
next in thread | raw e-mail | index | archive | help
>Number: 7565
>Category: bin
>Synopsis: small security fix for vidfont/kbdmap, spkrtest
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Aug 10 18:00:01 PDT 1998
>Last-Modified:
>Originator: Thomas Stromberg
>Organization:
Research Triangle Consultants, Inc.
>Release: FreeBSD 3.0-CURRENT i386
>Environment:
3.0-CURRENT
>Description:
/usr/sbin/spkrtest and /usr/sbin/vidfont (aka kbdmap) use very
predictable /tmp files (static prefix + process number) which are
overwritten blindly, and follow links.
>How-To-Repeat:
look at the last process number executed, then stuff the /tmp
directory with "/tmp/_kbd_lang[last process to last process + 1000]"
as links to any file on the system. then when root runs vidfont,
that file is removed.
>Fix:
These workarounds change it from a process number to a very random
(9999 with tons of decimal places) number.
*** /usr/src/usr.sbin/kbdmap/kbdmap.pl Mon May 19 03:30:45 1997
--- /home/ventrex/code/security/freebsd/fixed/kbdmap.pl Mon Aug 10 20:46:57
1998
***************
*** 229,236 ****
}
sub dialog {
local(@argv) = @_;
! local($tmp) = "/tmp/_kbd_lang$$";
$dialog = "/usr/bin/dialog \\
--clear \\
--- 229,237 ----
}
sub dialog {
+ srand;
local(@argv) = @_;
! local($tmp) = "/tmp/_kbd_lang" . rand(9999);
$dialog = "/usr/bin/dialog \\
--clear \\
*** /usr/src/usr.sbin/spkrtest/spkrtest.pl Sat Feb 22 11:13:37 1997
--- /home/ventrex/code/security/freebsd/fixed/spkrtest.pl Mon Aug 10
20:28:15 1998
***************
*** 93,99 ****
push(@checklist, ($_, $title{$_}, 'OFF'));
}
! $tmp = ($ENV{'TMP'} || "/tmp") . "/_spkrtest$$";
if (!open(SPEAKER, "> $speaker")) {
warn "You have no write access to $speaker or the speaker device is
not " .
--- 93,100 ----
push(@checklist, ($_, $title{$_}, 'OFF'));
}
! srand;
! $tmp = ($ENV{'TMP'} || "/tmp") . "/_spkrtest" . rand(9999);
if (!open(SPEAKER, "> $speaker")) {
warn "You have no write access to $speaker or the speaker device is
not " .
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808110049.UAA24496>