From owner-freebsd-ports-bugs@FreeBSD.ORG  Mon May 12 02:20:09 2003
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5BDD737B404
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon, 12 May 2003 02:20:09 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 083DB43FBF
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon, 12 May 2003 02:20:08 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4C9K7Up096094
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Mon, 12 May 2003 02:20:07 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4C9K7Hf096093;
	Mon, 12 May 2003 02:20:07 -0700 (PDT)
Resent-Date: Mon, 12 May 2003 02:20:07 -0700 (PDT)
Resent-Message-Id: <200305120920.h4C9K7Hf096093@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Jim Geovedi <jim@corebsd.or.id>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6AB3537B401
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 12 May 2003 02:10:15 -0700 (PDT)
Received: from magnesium.net (toxic.magnesium.net [207.154.84.15])
	by mx1.FreeBSD.org (Postfix) with SMTP id DE91143FE1
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 12 May 2003 02:10:14 -0700 (PDT)
	(envelope-from negative@magnesium.net)
Received: (qmail 29272 invoked by uid 1224); 12 May 2003 09:10:14 -0000
Message-Id: <20030512091014.29271.qmail@magnesium.net>
Date: 12 May 2003 02:10:14 -0700
From: Jim Geovedi <jim@corebsd.or.id>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: ports/52098: security/fuzz: privilege escalation bug
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Jim Geovedi <jim@corebsd.or.id>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2003 09:20:09 -0000


>Number:         52098
>Category:       ports
>Synopsis:       security/fuzz: privilege escalation bug
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 12 02:20:07 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Jim Geovedi
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
Liquid Magnesium Networks
>Environment:
System: FreeBSD toxic.magnesium.net 4.6-STABLE FreeBSD 4.6-STABLE #5: Thu Aug 1 09:24:17 PDT 2002 unfurl@toxic.magnesium.net:/users/world/obj/users/world/src/sys/TOXIC i386


	
>Description:
	fuzz creates a temporary file without taking appropriate security
	precautions.  This bug could allow an attacker to gain the privileges
	of the user invoking fuzz, excluding root (fuzz does not allow itself
	to be invoked as root).
>How-To-Repeat:
	
>Fix:

	

--- fuzz.diff begins here ---
diff -uNr --exclude=CVS fuzz.orig/Makefile fuzz/Makefile
--- fuzz.orig/Makefile	Thu Feb 20 10:59:04 2003
+++ fuzz/Makefile	Mon May 12 02:02:37 2003
@@ -7,6 +7,7 @@
 
 PORTNAME=	fuzz
 PORTVERSION=	0.6
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	fuzz
diff -uNr --exclude=CVS fuzz.orig/files/patch-fuzz.c fuzz/files/patch-fuzz.c
--- fuzz.orig/files/patch-fuzz.c	Wed Dec 31 16:00:00 1969
+++ fuzz/files/patch-fuzz.c	Mon May 12 01:57:12 2003
@@ -0,0 +1,20 @@
+--- fuzz.c.orig	Mon May 12 01:49:39 2003
++++ fuzz.c	Mon May 12 01:53:44 2003
+@@ -387,10 +387,16 @@
+     int progpipe[2],status;
+     char sendnewline=0;
+     unsigned long curchar=0,linelen=0;
++    int fd;
+ 
+     // finish setting up files
+     if(!execute_filename){
+-      snprintf(outfilename,MAXPATH,"/tmp%s.%lu",strrchr(progname,'/'),runs);
++      snprintf(outfilename,MAXPATH,"/tmp%s.%lu.XXXXXX",strrchr(progname,'/'),runs);
++      if ((fd=mkstemp(outfilename)) < 0) {
++         perror("Unable to create temporary file");
++         abort();
++      }
++      close(fd);
+       if((outfile=fopen(outfilename,"w"))==NULL){
+ 	fprintf(stderr,"Can't fopen outfile.\n");
+ 	abort();
--- fuzz.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: