Hello Roberto, * Roberto C. Sanchez <[EMAIL PROTECTED]> [2005-05-31 10:45]: > Package: mutt > Version: 1.5.9-2 > Severity: important > > I am only making this important becuase after discussing it on > #debian-devel, the consensus was the this was annoying but not RC. I am > CC'ing Nico and Elimar since this also applies to the unnofficial > mutt-ng pacakges. mutt creates temporary files in a very predictable > and unsecure way. There is no threat of overwriting an existing file or > creating a file somewhere where the user lacks appropriate permissions, > but there is a trivial way to DoS the users in mutt. > > Steps to replicate: > > Log into a shared machine and run 'ps aux|grep mutt'. Choose a user > running mutt. Note the pid of the mutt process you want to DOS. Note > the username and run 'id <user>' to get the uid. Then run 'for i in > `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and > watch the user not be able to 1) compose mail, 2) change mailboxes, 3) > reply to mail, 4) or view help until mutt is restarted. For added fun, > wrap in another for loop that iterates from 0 to 32767 and hit all the > PIDs and prevent the user from using mutt unil /tmp is cleaned or the > machine is rebooted.
I fixed this bug for mutt-ng. I attached a 64 bit hex string to the temporary file name. In my opinion the TMPDIR solution is not very good. Please CC me. Index: trunk/muttlib.c =================================================================== --- trunk/muttlib.c (Revision 306) +++ trunk/muttlib.c (Revision 308) @@ -647,8 +647,10 @@ void _mutt_mktemp (char *s, const char *src, int line) { - snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d", NONULL (Tempdir), - NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++); + + snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d-%x%x", NONULL (Tempdir), + NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++, + (unsigned int) rand(), (unsigned int) rand()); Regards Nico Golde -- Nico Golde - [EMAIL PROTECTED] | GPG: 1024D/73647CFF http://www.ngolde.de | http://www.muttng.org | http://grml.org VIM has two modes - the one in which it beeps and the one in which it doesn't -- encrypted mail preferred
pgpio8DNcLADc.pgp
Description: PGP signature