Re: SVGATextMode 1.8 /tmp race

[dumped () SEKURE ORG (dumped)]

On Thu, 21 Oct 1999, Adrian Voinea wrote:

> Hello,
> savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
> mode data in /tmp, in two files with the mode 644:
>
> [/tmp]
> root@Death# ls -lA
> total 1
> drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/
>
> [/tmp]
> root@Death# savetextmode
> svgalib: Using S3 driver (Trio64, 4096K).
> svgalib: s3: chipsets newer than S3-864 is not supported well yet.
> svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz
>
> [/tmp]
> root@Death# ls -lA
> total 35
> drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/
> -rw-r--r--   1 root     gods        32768 Oct 21 22:56 fontdata
> -rw-r--r--   1 root     gods          385 Oct 21 22:56 textregs
>
> Also, I would like to add that savetextmode accepts no parameters.
> So... any user on the system that knows that the root is using
> SVGATextMode could link any of the files to a file that he wants to be
> overwritten.
> The e-mail is cc-ed to the maker of SVGATextMode, koen.gadeyne () barco com.

diff -Nur svgalib-1.3.1.buggy/utils/savetextmode svgalib-1.3.1/utils/savetextmode
--- svgalib-1.3.1.buggy/utils/savetextmode      Sat Aug  2 03:37:15 1997
+++ svgalib-1.3.1/utils/savetextmode    Thu Oct 22 12:25:50 1998
@@ -1,3 +1,3 @@
 #!/bin/sh
-restoretextmode -w /tmp/textregs
-restorefont -w /tmp/fontdata
+restoretextmode -w `mktemp /tmp/textregs.XXXXXX`
+restorefont -w `mktemp /tmp/fontdata.XXXXXX`

Stupid.

dumped
http://www.sekure.org
Sekure/Uground Ind.