Date: Fri, 3 Nov 2000 11:56:18 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: obrien@FreeBSD.org, audit@FreeBSD.org Subject: gcc/binutils tempfile fixes Message-ID: <20001103115618.A29306@citusc17.usc.edu>
next in thread | raw e-mail | index | archive | help
--jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Please review the following changes: The current behaviour of gcc/binutils wrt tempfile creation is insecure - for a given PID only 52 different tempfiles can be created, leaving gcc vulnerable to symlink attacks and code corruption. The libiberty version of mkstemp() seems to enforce using only 6 X's for some reason - but it seems we (rightly) don't use this anyway) David, how should we go about getting these fixed in gcc? Kris Index: binutils/binutils/bucomm.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/binutils/binutils/bucomm.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 bucomm.c --- binutils/binutils/bucomm.c 2000/06/20 06:19:29 1.1.1.4 +++ binutils/binutils/bucomm.c 2000/11/03 19:28:04 @@ -211,7 +211,7 @@ make_tempname (filename) char *filename; { - static char template[] =3D "stXXXXXX"; + static char template[] =3D "stXXXXXXXXXX"; char *tmpname; char *slash =3D strrchr (filename, '/'); =20 Index: binutils/libiberty/choose-temp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/binutils/libiberty/choose-temp.c,v retrieving revision 1.1.1.3 diff -u -r1.1.1.3 choose-temp.c --- binutils/libiberty/choose-temp.c 2000/05/12 23:15:11 1.1.1.3 +++ binutils/libiberty/choose-temp.c 2000/11/03 19:27:49 @@ -71,7 +71,7 @@ =20 /* Name of temporary file. mktemp requires 6 trailing X's. */ -#define TEMP_FILE "ccXXXXXX" +#define TEMP_FILE "ccXXXXXXXXXX" =20 /* Subroutine of choose_temp_base. If BASE is non-NULL, return it. Index: gcc/choose-temp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/gcc/choose-temp.c,v retrieving revision 1.4 diff -u -r1.4 choose-temp.c --- gcc/choose-temp.c 2000/06/12 06:24:54 1.4 +++ gcc/choose-temp.c 2000/11/03 19:15:20 @@ -73,7 +73,7 @@ =20 /* Name of temporary file. mktemp requires 6 trailing X's. */ -#define TEMP_FILE "ccXXXXXX" +#define TEMP_FILE "ccXXXXXXXXXX" =20 /* Subroutine of choose_temp_base. If BASE is non-NULL, return it. Index: gcc.295/choose-temp.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/gcc.295/choose-temp.c,v retrieving revision 1.3 diff -u -r1.3 choose-temp.c --- gcc.295/choose-temp.c 1999/11/04 10:23:25 1.3 +++ gcc.295/choose-temp.c 2000/11/03 19:17:33 @@ -73,7 +73,7 @@ =20 /* Name of temporary file. mktemp requires 6 trailing X's. */ -#define TEMP_FILE "ccXXXXXX" +#define TEMP_FILE "ccXXXXXXXXXX" =20 /* Subroutine of choose_temp_base. If BASE is non-NULL, return it. --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoDGGEACgkQWry0BWjoQKVNtQCfUySAUaLS0rfHKEDUmJQzQvlc 6fsAn14t1CCpKLZpgMSXSGYGddokKOPl =55P2 -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001103115618.A29306>