Date: Sun, 29 Apr 2001 01:54:48 -0700 From: Kris Kennaway <kris@obsecurity.org> To: audit@FreeBSD.org Subject: CTM fixes Message-ID: <20010429015448.A76638@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Please review the following patch. It contains the following changes: * fix ctm(8) to use mkstemp() instead of tempnam() for tempfile creation. * Tag the internal err() function with __printflike to allow checking for non-constant format string arguments (none exist) * Use fmtcheck() to sanitize the tar command obtained via -t to make sure it doesn't contain extraneous format operators. Kris Index: ctm/ctm_pass2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm/ctm_pass2.c,v retrieving revision 1.18 diff -u -r1.18 ctm_pass2.c --- ctm/ctm_pass2.c 2000/01/15 19:45:18 1.18 +++ ctm/ctm_pass2.c 2001/04/29 08:53:53 @@ -22,7 +22,7 @@ { u_char *p,*q,*md5=3D0; MD5_CTX ctx; - int i,j,sep,cnt; + int i,j,sep,cnt,fdesc; u_char *trash=3D0,*name=3D0; struct CTM_Syntax *sp; struct stat st; @@ -31,6 +31,7 @@ char md5_1[33]; struct CTM_Filter *filter; FILE *ed =3D NULL; + static char *template =3D NULL; =20 if(Verbose>3) printf("Pass2 -- Checking if CTM-patch will apply\n"); @@ -187,8 +188,37 @@ GETDATA(trash,cnt); if (!match) break; + if (!template) { + if (asprintf(&template, "%s/CTMclientXXXXXX", + TmpDir) =3D=3D -1) { + fprintf(stderr, " %s: malloc failed.\n", + sp->Key); + ret |=3D Exit_Mess; + return ret; + } + } if(!strcmp(sp->Key,"FN")) { - p =3D tempnam(TmpDir,"CTMclient"); + if ((p =3D strdup(template)) =3D=3D NULL) { + fprintf(stderr, " %s: malloc failed.\n", + sp->Key); + ret |=3D Exit_Mess; + return ret; + } + if ((fdesc =3D mkstemp(p)) =3D=3D -1) { + fprintf(stderr, " %s: mkstemp failed.\n", + sp->Key); + ret |=3D Exit_Mess; + Free(p); + return ret; + } + if (close(fdesc) =3D=3D -1) { + fprintf(stderr, " %s: close failed.\n", + sp->Key); + ret |=3D Exit_Mess; + unlink(p); + Free(p); + return ret; + } j =3D ctm_edit(trash,cnt,name,p); if(j) { fprintf(stderr," %s: %s edit returned %d.\n", @@ -208,7 +238,27 @@ unlink(p); Free(p); } else if (!strcmp(sp->Key,"FE")) { - p =3D tempnam(TmpDir,"CTMclient"); + if ((p =3D strdup(template)) =3D=3D NULL) { + fprintf(stderr, " %s: malloc failed.\n", + sp->Key); + ret |=3D Exit_Mess; + return ret; + } + if ((fdesc =3D mkstemp(p)) =3D=3D -1) { + fprintf(stderr, " %s: mkstemp failed.\n", + sp->Key); + ret |=3D Exit_Mess; + Free(p); + return ret; + } + if (close(fdesc) =3D=3D -1) { + fprintf(stderr, " %s: close failed.\n", + sp->Key); + ret |=3D Exit_Mess; + unlink(p); + Free(p); + return ret; + } ed =3D popen("ed","w"); if (!ed) { WRONG Index: ctm/ctm_passb.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm/ctm_passb.c,v retrieving revision 1.5 diff -u -r1.5 ctm_passb.c --- ctm/ctm_passb.c 1999/08/28 01:16:00 1.5 +++ ctm/ctm_passb.c 2001/04/29 08:47:31 @@ -36,7 +36,7 @@ printf("PassB -- Backing up files which would be changed.\n"); =20 MD5Init (&ctx); - sprintf(buf, TarCmd, BackupFile); + snprintf(buf, sizeof(buf), fmtcheck(TarCmd, TARCMD), BackupFile); b=3Dpopen(buf, "w"); if(!b) { warn("%s", buf); return Exit_Garbage; } =20 Index: ctm_rmail/error.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm_rmail/error.c,v retrieving revision 1.2 diff -u -r1.2 error.c --- ctm_rmail/error.c 1995/02/25 05:10:18 1.2 +++ ctm_rmail/error.c 2001/04/29 08:48:56 @@ -58,7 +58,7 @@ * decoded and appended. */ void -err(char *fmt, ...) +err(const char *fmt, ...) { va_list ap; time_t now; Index: ctm_rmail/error.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm_rmail/error.h,v retrieving revision 1.1 diff -u -r1.1 error.h --- ctm_rmail/error.h 1995/01/31 19:12:41 1.1 +++ ctm_rmail/error.h 2001/04/29 08:49:05 @@ -1,3 +1,3 @@ extern void err_set_log(char *log_file); extern void err_prog_name(char *name); -extern void err(char *fmt, ...); +extern void err(const char *fmt, ...) __printflike(1, 2); --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE669bYWry0BWjoQKURAnYmAKDiOJKXlWHAKDECTz+Nl7NLVEP/BACdGzdW qCx0kd7roJGXYozVF78DWwM= =TtaU -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010429015448.A76638>