>Number: 944
>Category: ports
>Synopsis: Security fixes for Fvwm 1.24r
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: pst
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jan 13 18:50:01 PST 1996
>Last-Modified: Wed Feb 7 15:56:44 PST 1996
>Originator: Sujal Patel
>Organization:
>Release: FreeBSD 2.2-CURRENT i386
>Environment:
FreeBSD 2.1+
>Description:
Security problems with mktemp race condition.
>From Linux Security FAQ Update #10
There is a good bit of stuff done between the mktemp() and the actual usage of
the temporary file, so this bug is not very difficult to exploit. This bug
could allow another local user to execute commands as you, when you start FVWM.
>How-To-Repeat:
>Fix:
This should take care of it. This is a slightly cleaned up version of
the fix by Debian/GNU Linux.
diff -ur old/fvwm-1.24r/fvwm/configure.c new/fvwm-1.24r/fvwm/configure.c
--- old/fvwm-1.24r/fvwm/configure.c Tue Nov 15 09:02:27 1994
+++ new/fvwm-1.24r/fvwm/configure.c Sat Jan 13 20:59:52 1996
_at_@ -1976,6 +1976,8 @@
char *vc; /* Visual Class */
FILE *tmpf;
struct passwd *pwent;
+ int fd;
+
/* Generate a temporary filename. Honor the TMPDIR environment variable,
if set. Hope nobody deletes this file! */
_at_@ -1984,14 +1986,21 @@
} else {
strcpy(tmp_name, "/tmp");
}
- strcat(tmp_name, "/fvwmrcXXXXX");
- mktemp(tmp_name);
+ strcat(tmp_name, "/fvwmrcXXXXXX");
+ vc = mktemp(tmp_name);
- if (*tmp_name == '\0')
+ if (vc == NULL)
{
perror("mktemp failed in m4_defs");
exit(0377);
}
+
+ /* make a directory to guard against following symlinks */
+ if (mkdir(tmp_name, 0700) != 0) {
+ perror("exclusive open for tmp_name failed in m4_defs");
+ exit(0377);
+ }
+ strcat(tmp_name, "/data"); /* what actual tmp file is to be called */
/*
* Create the appropriate command line to run m4, and
diff -ur old/fvwm-1.24r/fvwm/fvwm.c new/fvwm-1.24r/fvwm/fvwm.c
--- old/fvwm-1.24r/fvwm/fvwm.c Tue Nov 15 09:02:52 1994
+++ new/fvwm-1.24r/fvwm/fvwm.c Sat Jan 13 20:57:49 1996
_at_@ -874,11 +874,19 @@
if (m4_enable)
{
extern char *fvwm_file;
+ char *p;
/* With m4 processing, a temporary file was created to hold the
processed file. Delete the file now because we don't need it
any more. It will be created again during restart. */
unlink(fvwm_file);
+ /* get rid of directory it was in as well, since that was created to
+ secure access to the file */
+ p = strrchr(fvwm_file, '/');
+ if (p!=NULL)
+ *p='\0'; /* chop off last component of fvwm_file */
+ if (rmdir(fvwm_file)!=0)
+ fprintf(stderr, "Couldn't rmdir %s\n", fvwm_file);
}
#endif
>Audit-Trail:
From: Bruce Evans <bde_at_zeta.org.au>
To: FreeBSD-gnats-submit_at_FreeBSD.org, smpatel_at_sl-009.sl.cybercomm.net
Cc: Subject: Re: ports/944: Security fixes for Fvwm 1.24r
Date: Sun, 14 Jan 1996 18:31:18 +1100
>>Description:
>Security problems with mktemp race condition.
>From Linux Security FAQ Update #10
>There is a good bit of stuff done between the mktemp() and the actual usage of
>the temporary file, so this bug is not very difficult to exploit. This bug
>could allow another local user to execute commands as you, when you start FVWM.
BSD provides mkstemp() to handle this problem properly. I'm not sure of
it's history, but it is old enough to be in FreeBSD-1.1.5.
I tried exploiting the bug in mktemp() pointed out by Josh the other day
(mk[s]temp() uses stat(), not lstat(), so mktemp() can return a filename
that is a symlink. This doesn't seem to be a problem for mkstemp()
since O_EXCL in the open flags stop all (?) existing directory entries
from being openable).
>+ /* make a directory to guard against following symlinks */
>+ if (mkdir(tmp_name, 0700) != 0) {
>+ perror("exclusive open for tmp_name failed in m4_defs");
>+ exit(0377);
>+ }
>+ strcat(tmp_name, "/data"); /* what actual tmp file is to be called */
I think the O_EXCL method is better. Except of course if you really
want a directory or another type of non-regular file. It's surprisingly
hard to get the interface for temporary file [name] creation right.
FreeBSD has 5 BAD interfaces: tempnam(), tmpfile(), tmpnam(), mktemp()
and mkstemp().
Bruce
Responsible-Changed-From-To: freebsd-bugs->pst
Responsible-Changed-By: pst
Responsible-Changed-When: Wed Feb 7 15:56:28 PST 1996
Responsible-Changed-Why:
>Unformatted:
--
Visit the official FVWM web page at <URL:http://www.hpc.uh.edu/fvwm/>.
To unsubscribe from the list, send "unsubscribe fvwm" in the body of a
message to majordomo_at_hpc.uh.edu.
To report problems, send mail to fvwm-owner_at_hpc.uh.edu.
Received on Sat Jan 13 1996 - 18:45:17 GMT