From owner-freebsd-bugs Mon Aug 10 18:00:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA04596 for freebsd-bugs-outgoing; Mon, 10 Aug 1998 18:00:14 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA04519 for ; Mon, 10 Aug 1998 18:00:04 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id SAA22971; Mon, 10 Aug 1998 18:00:01 -0700 (PDT) Received: from deity.darkening.com (deity.darkening.com [209.25.112.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA02693 for ; Mon, 10 Aug 1998 17:49:57 -0700 (PDT) (envelope-from ventrex@deity.darkening.com) Received: (from ventrex@localhost) by deity.darkening.com (8.8.8/8.8.8) id UAA24496; Mon, 10 Aug 1998 20:49:24 -0400 (EDT) (envelope-from ventrex) Message-Id: <199808110049.UAA24496@deity.darkening.com> Date: Mon, 10 Aug 1998 20:49:24 -0400 (EDT) From: tstrombe@rtci.com Reply-To: tstrombe@rtci.com To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: bin/7565: Security fix for perl vidfont/kbdmap, spkrtest Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 7565 >Category: bin >Synopsis: small security fix for vidfont/kbdmap, spkrtest >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 10 18:00:01 PDT 1998 >Last-Modified: >Originator: Thomas Stromberg >Organization: Research Triangle Consultants, Inc. >Release: FreeBSD 3.0-CURRENT i386 >Environment: 3.0-CURRENT >Description: /usr/sbin/spkrtest and /usr/sbin/vidfont (aka kbdmap) use very predictable /tmp files (static prefix + process number) which are overwritten blindly, and follow links. >How-To-Repeat: look at the last process number executed, then stuff the /tmp directory with "/tmp/_kbd_lang[last process to last process + 1000]" as links to any file on the system. then when root runs vidfont, that file is removed. >Fix: These workarounds change it from a process number to a very random (9999 with tons of decimal places) number. *** /usr/src/usr.sbin/kbdmap/kbdmap.pl Mon May 19 03:30:45 1997 --- /home/ventrex/code/security/freebsd/fixed/kbdmap.pl Mon Aug 10 20:46:57 1998 *************** *** 229,236 **** } sub dialog { local(@argv) = @_; ! local($tmp) = "/tmp/_kbd_lang$$"; $dialog = "/usr/bin/dialog \\ --clear \\ --- 229,237 ---- } sub dialog { + srand; local(@argv) = @_; ! local($tmp) = "/tmp/_kbd_lang" . rand(9999); $dialog = "/usr/bin/dialog \\ --clear \\ *** /usr/src/usr.sbin/spkrtest/spkrtest.pl Sat Feb 22 11:13:37 1997 --- /home/ventrex/code/security/freebsd/fixed/spkrtest.pl Mon Aug 10 20:28:15 1998 *************** *** 93,99 **** push(@checklist, ($_, $title{$_}, 'OFF')); } ! $tmp = ($ENV{'TMP'} || "/tmp") . "/_spkrtest$$"; if (!open(SPEAKER, "> $speaker")) { warn "You have no write access to $speaker or the speaker device is not " . --- 93,100 ---- push(@checklist, ($_, $title{$_}, 'OFF')); } ! srand; ! $tmp = ($ENV{'TMP'} || "/tmp") . "/_spkrtest" . rand(9999); if (!open(SPEAKER, "> $speaker")) { warn "You have no write access to $speaker or the speaker device is not " . >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message