Date: Mon, 10 Aug 1998 20:49:24 -0400 (EDT) From: tstrombe@rtci.com To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/7565: Security fix for perl vidfont/kbdmap, spkrtest Message-ID: <199808110049.UAA24496@deity.darkening.com>
next in thread | raw e-mail | index | archive | help
>Number: 7565 >Category: bin >Synopsis: small security fix for vidfont/kbdmap, spkrtest >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 10 18:00:01 PDT 1998 >Last-Modified: >Originator: Thomas Stromberg >Organization: Research Triangle Consultants, Inc. >Release: FreeBSD 3.0-CURRENT i386 >Environment: 3.0-CURRENT >Description: /usr/sbin/spkrtest and /usr/sbin/vidfont (aka kbdmap) use very predictable /tmp files (static prefix + process number) which are overwritten blindly, and follow links. >How-To-Repeat: look at the last process number executed, then stuff the /tmp directory with "/tmp/_kbd_lang[last process to last process + 1000]" as links to any file on the system. then when root runs vidfont, that file is removed. >Fix: These workarounds change it from a process number to a very random (9999 with tons of decimal places) number. *** /usr/src/usr.sbin/kbdmap/kbdmap.pl Mon May 19 03:30:45 1997 --- /home/ventrex/code/security/freebsd/fixed/kbdmap.pl Mon Aug 10 20:46:57 1998 *************** *** 229,236 **** } sub dialog { local(@argv) = @_; ! local($tmp) = "/tmp/_kbd_lang$$"; $dialog = "/usr/bin/dialog \\ --clear \\ --- 229,237 ---- } sub dialog { + srand; local(@argv) = @_; ! local($tmp) = "/tmp/_kbd_lang" . rand(9999); $dialog = "/usr/bin/dialog \\ --clear \\ *** /usr/src/usr.sbin/spkrtest/spkrtest.pl Sat Feb 22 11:13:37 1997 --- /home/ventrex/code/security/freebsd/fixed/spkrtest.pl Mon Aug 10 20:28:15 1998 *************** *** 93,99 **** push(@checklist, ($_, $title{$_}, 'OFF')); } ! $tmp = ($ENV{'TMP'} || "/tmp") . "/_spkrtest$$"; if (!open(SPEAKER, "> $speaker")) { warn "You have no write access to $speaker or the speaker device is not " . --- 93,100 ---- push(@checklist, ($_, $title{$_}, 'OFF')); } ! srand; ! $tmp = ($ENV{'TMP'} || "/tmp") . "/_spkrtest" . rand(9999); if (!open(SPEAKER, "> $speaker")) { warn "You have no write access to $speaker or the speaker device is not " . >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808110049.UAA24496>