Bug#311296: mutt: Temporary file creation is unsafe

Tue, 31 May 2005 09:55:32 -0700 

On Tue, May 31, 2005 at 04:22:08PM +0200, Nico Golde wrote:
> Hello Roberto,
> 
> * Roberto C. Sanchez <[EMAIL PROTECTED]> [2005-05-31 10:45]:
> > Package: mutt
> > Version: 1.5.9-2
> > Severity: important
> > 
> > I am only making this important becuase after discussing it on
> > #debian-devel, the consensus was the this was annoying but not RC.  I am
> > CC'ing Nico and Elimar since this also applies to the unnofficial
> > mutt-ng pacakges.  mutt creates temporary files in a very predictable
> > and unsecure way.  There is no threat of overwriting an existing file or
> > creating a file somewhere where the user lacks appropriate permissions,
> > but there is a trivial way to DoS the users in mutt.
> > 
> > Steps to replicate:
> > 
> > Log into a shared machine and run 'ps aux|grep mutt'.  Choose a user
> > running mutt.  Note the pid of the mutt process you want to DOS.  Note
> > the username and run 'id <user>' to get the uid.  Then run 'for i in
> > `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
> > watch the user not be able to 1) compose mail, 2) change mailboxes, 3)
> > reply to mail, 4) or view help until mutt is restarted.  For added fun,
> > wrap in another for loop that iterates from 0 to 32767 and hit all the
> > PIDs and prevent the user from using mutt unil /tmp is cleaned or the
> > machine is rebooted.
> 
> I fixed this bug for mutt-ng.
> I attached a 64 bit hex string to the temporary file name.
> In my opinion the TMPDIR solution is not very good.
> Please CC me.
> Index: trunk/muttlib.c
> ===================================================================
> --- trunk/muttlib.c     (Revision 306)
> +++ trunk/muttlib.c     (Revision 308)
> @@ -647,8 +647,10 @@
>  
>  void _mutt_mktemp (char *s, const char *src, int line)
>  {
> -  snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d", NONULL (Tempdir),
> -            NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++);
> +
> +  snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d-%x%x", NONULL 
> (Tempdir),
> +            NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++, 
> +            (unsigned int) rand(), (unsigned int) rand());
> Regards Nico Golde
> 

Thanks.  Another possible solution is the use of the tmpfile(3) or
mkstemp(3) functions.  But yours appears sound as well.

-Roberto

-- 
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr

Attachment: pgpweWqJDvAf1.pgp
Description: PGP signature

Reply via email to