Bug#311296: mutt: Temporary file creation is unsafe

Tue, 31 May 2005 07:53:09 -0700 

Hello Roberto,

* Roberto C. Sanchez <[EMAIL PROTECTED]> [2005-05-31 10:45]:
> Package: mutt
> Version: 1.5.9-2
> Severity: important
> 
> I am only making this important becuase after discussing it on
> #debian-devel, the consensus was the this was annoying but not RC.  I am
> CC'ing Nico and Elimar since this also applies to the unnofficial
> mutt-ng pacakges.  mutt creates temporary files in a very predictable
> and unsecure way.  There is no threat of overwriting an existing file or
> creating a file somewhere where the user lacks appropriate permissions,
> but there is a trivial way to DoS the users in mutt.
> 
> Steps to replicate:
> 
> Log into a shared machine and run 'ps aux|grep mutt'.  Choose a user
> running mutt.  Note the pid of the mutt process you want to DOS.  Note
> the username and run 'id <user>' to get the uid.  Then run 'for i in
> `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
> watch the user not be able to 1) compose mail, 2) change mailboxes, 3)
> reply to mail, 4) or view help until mutt is restarted.  For added fun,
> wrap in another for loop that iterates from 0 to 32767 and hit all the
> PIDs and prevent the user from using mutt unil /tmp is cleaned or the
> machine is rebooted.

I fixed this bug for mutt-ng.
I attached a 64 bit hex string to the temporary file name.
In my opinion the TMPDIR solution is not very good.
Please CC me.
Index: trunk/muttlib.c
===================================================================
--- trunk/muttlib.c     (Revision 306)
+++ trunk/muttlib.c     (Revision 308)
@@ -647,8 +647,10 @@
 
 void _mutt_mktemp (char *s, const char *src, int line)
 {
-  snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d", NONULL (Tempdir),
-            NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++);
+
+  snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d-%x%x", NONULL (Tempdir),
+            NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++, 
+            (unsigned int) rand(), (unsigned int) rand());
Regards Nico Golde

-- 
Nico Golde - [EMAIL PROTECTED] | GPG: 1024D/73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org 
VIM has two modes - the one in which it beeps 
and the one in which it doesn't -- encrypted mail preferred

Attachment: pgpio8DNcLADc.pgp
Description: PGP signature

Reply via email to