Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Isearch insecure temporary files
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 21 Dec 2012 10:26:57 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/21/2012 04:05 AM, David Holland wrote:
NetBSD pkgsrc ships an old text search package called Isearch,
which I found tonight (in the course of making it compile with a
modernish C++ compiler) to contain garden-variety /tmp races.

Does anyone else ship it? I don't think this is worth a CVE unless 
someone does; the package appears to be dead upstream.

This is similar to http://seclists.org/oss-sec/2012/q4/142

Ideally we need some way to mark software as dead/unsafe/don't use. I
don't know what the answer is though (does someone maintain a
blacklist? who decides? etc.).

http://gnats.netbsd.org/47360 for reference; the relevant portions
of the patches cited follow.

Yeah that's pretty classic /tmp vulns. Please use CVE-2012-5663 for
this issue.

--- doctype/anzmeta.cxx~      2000-10-11 14:02:15.000000000 +0000 +++
doctype/anzmeta.cxx @@ -1446,9 +1448,21 @@ ANZMETA::Present (const
RESULT& ResultRe } else { STRING s_cmd; //CHR* c_cmd; -             CHR
*TmpName; +         CHR TmpName[64]; +              int fd;

-           TmpName = tempnam("/tmp", "mpout"); +           strcpy(TmpName,
"/tmp/mpoutXXXXXX"); +              fd = mkstemp(TmpName); +        if (fd
< 0) { +               /* +             * Apparently failure is not an option here, so +
* proceed in a way that at least won't be insecure. +           */ +
strcpy(TmpName, "/dev/null"); +             } +             else { +
close(fd); +        }

cout << "[ANZMETA::Present] no docs found, so build Fly cmd" <<
endl;

--- doctype/fgdc.cxx~ 2000-09-06 18:20:30.000000000 +0000 +++
doctype/fgdc.cxx @@ -1824,10 +1826,22 @@ FGDC::Present (const
RESULT& ResultRecor return; } else { STRING s_cmd; -        CHR
*TmpName; - -       TmpName = tempnam("/tmp", "mpout"); +           CHR
TmpName[64]; +              int fd;

+           strcpy(TmpName, "/tmp/mpoutXXXXXX"); +          fd =
mkstemp(TmpName); +         if (fd < 0) { +            /* +             * Apparently
failure is not an option here, so +             * proceed in a way that at
least won't be insecure. +              */ +           strcpy(TmpName, "/dev/null"); 
+           } +             else { +           close(fd); +         } + 
BuildCommandLine(mpCommand, HoldFilename, RecordSyntax, TmpName,
&s_cmd); system(s_cmd); --- src/marc.cxx.orig 1998-05-12
16:49:10.000000000 +0000 +++ src/marc.cxx @@ -194,9 +194,15 @@
MARC::GetPrettyBuffer(STRING *Buffer) { /* // Cheese, cheese,
cheese;-) -  char *tempfile = tempnam("/tmp", "marc"); +  char
tempfile[32]; +  strcpy(tempfile, "/tmp/marcXXXXXX"); +  int tempfd
= mkstemp(tempfile); +  if (tempfd < 0) { +    *Buffer =
"MARC::GetPrettyBuffer() failed to open temp file"; +    return; +
} FILE *fp; -  if((fp = fopen(tempfile, "w")) == NULL) { +  if((fp
= fdopen(tempfd, "w")) == NULL) { *Buffer =
"MARC::GetPrettyBuffer() failed to open temp file"; return; }



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ1JvdAAoJEBYNRVNeJnmTECoP/1MoTbtK3rDPjqww7CZHmPNv
e3holkb4Pf9ksE1cI8N/dQJsceSbl6QGJbN3K3D44gRvELI4d+WUmmzZBVJUmWxO
gEgeMrbTcpTYlARwNa7U7saMW0yNIx8JXA1KFmVGik/cEyb4vfV0TezRU6YtUrhA
ubwNURoxyNaIofcTW5SKLvS9DAbBYa9UhdZzbJFd7ECAU1SuPZJ/MBScwzY5OAwt
Sa2u870/pnrUkkFUoSGgmNGOys3ZlTz306IdOUEFdf4LvTbYsWPGKI/yOjIH/SGS
gFyOmPGrD9D0FY8XDyWV+AczTZB1JAD7EonapmlHvfrT0urq6pJDoRprsZBDxdNy
jeKgzkzdqTXncrf7UDH2TobHSzgULvOrk4iw+jQSkKebiWTRl14W5LhM7XLciz7V
lLJWsghteeHDUrsXrQo0DET8Pp0GnOISIPWdL8t9mqAjjHTMZMzIrmHeSht2Hw3i
CKHdbi76fTdsJPFRxWZtD1izoA1LELK6iNoxeNQwFNHvwtykhXmE5P/DRwTzvu9v
E7IAe7A/1PT88CXK/tRf1oAic4gGDAJszKUBmklpH+ofafJOPRNTt3PComxO3xKr
JfjFRr/R9zOw+MPgmlocCdIj6q3qAm0eKffkyy20pjmJP7V3zzdhNfNCi6EfmEfp
xZUppQSnc3JVbv7nYq3s
=r14p
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]