Date: Fri, 3 Nov 2000 11:56:18 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: obrien@FreeBSD.org, audit@FreeBSD.org Subject: gcc/binutils tempfile fixes Message-ID: <20001103115618.A29306@citusc17.usc.edu>
next in thread | raw e-mail | index | archive | help
--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Please review the following changes:
The current behaviour of gcc/binutils wrt tempfile creation is
insecure - for a given PID only 52 different tempfiles can be created,
leaving gcc vulnerable to symlink attacks and code corruption. The
libiberty version of mkstemp() seems to enforce using only 6 X's for
some reason - but it seems we (rightly) don't use this anyway)
David, how should we go about getting these fixed in gcc?
Kris
Index: binutils/binutils/bucomm.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/contrib/binutils/binutils/bucomm.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 bucomm.c
--- binutils/binutils/bucomm.c 2000/06/20 06:19:29 1.1.1.4
+++ binutils/binutils/bucomm.c 2000/11/03 19:28:04
@@ -211,7 +211,7 @@
make_tempname (filename)
char *filename;
{
- static char template[] =3D "stXXXXXX";
+ static char template[] =3D "stXXXXXXXXXX";
char *tmpname;
char *slash =3D strrchr (filename, '/');
=20
Index: binutils/libiberty/choose-temp.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/contrib/binutils/libiberty/choose-temp.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 choose-temp.c
--- binutils/libiberty/choose-temp.c 2000/05/12 23:15:11 1.1.1.3
+++ binutils/libiberty/choose-temp.c 2000/11/03 19:27:49
@@ -71,7 +71,7 @@
=20
/* Name of temporary file.
mktemp requires 6 trailing X's. */
-#define TEMP_FILE "ccXXXXXX"
+#define TEMP_FILE "ccXXXXXXXXXX"
=20
/* Subroutine of choose_temp_base.
If BASE is non-NULL, return it.
Index: gcc/choose-temp.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/contrib/gcc/choose-temp.c,v
retrieving revision 1.4
diff -u -r1.4 choose-temp.c
--- gcc/choose-temp.c 2000/06/12 06:24:54 1.4
+++ gcc/choose-temp.c 2000/11/03 19:15:20
@@ -73,7 +73,7 @@
=20
/* Name of temporary file.
mktemp requires 6 trailing X's. */
-#define TEMP_FILE "ccXXXXXX"
+#define TEMP_FILE "ccXXXXXXXXXX"
=20
/* Subroutine of choose_temp_base.
If BASE is non-NULL, return it.
Index: gcc.295/choose-temp.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/contrib/gcc.295/choose-temp.c,v
retrieving revision 1.3
diff -u -r1.3 choose-temp.c
--- gcc.295/choose-temp.c 1999/11/04 10:23:25 1.3
+++ gcc.295/choose-temp.c 2000/11/03 19:17:33
@@ -73,7 +73,7 @@
=20
/* Name of temporary file.
mktemp requires 6 trailing X's. */
-#define TEMP_FILE "ccXXXXXX"
+#define TEMP_FILE "ccXXXXXXXXXX"
=20
/* Subroutine of choose_temp_base.
If BASE is non-NULL, return it.
--jRHKVT23PllUwdXP
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjoDGGEACgkQWry0BWjoQKVNtQCfUySAUaLS0rfHKEDUmJQzQvlc
6fsAn14t1CCpKLZpgMSXSGYGddokKOPl
=55P2
-----END PGP SIGNATURE-----
--jRHKVT23PllUwdXP--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001103115618.A29306>