Bug#324913: still unsafe temporary file handling vulnerable to symlink attacks

[Peter Samuelson]

[Joey Hess]
> a. Attacker links CPLAY_TMP to the directory that is owned by the victim
>    and to which attacker also has write access.

It seems to me our whole problem is that the CPLAY_TMP dir is
unnecessary.  mkfifo is just as atomic as mkdir.  Both will fail
if anyone tries any funny business.

So here is a much-simplifed 10_cplay-tmp.dpatch which I think is safe.
It's not tested, I don't know how to test security race patches except
to stare at them awhile and see if there are logic problems.  Joey,
could you eyeball it please?

Peter

#! /bin/sh -e
## 10_cplay-tmp.dpatch by Martin Michlmayr <[EMAIL PROTECTED]>
##
## DP: Fix insecure /tmp handling (#255768)

[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
patch_opts="${patch_opts:--f --no-backup-if-mismatch}"

if [ $# -ne 1 ]; then
    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
    exit 1
fi
case "$1" in
       -patch) patch $patch_opts -p1 < $0;;
       -unpatch) patch $patch_opts -p1 -R < $0;;
        *)
                echo >&2 "`basename $0`: script expects -patch|-unpatch as
argument"
                exit 1;;
esac

exit 0
@DPATCH@
diff -urNad cplay-1.49/cplay cplay-1.49/cplay
--- cplay-1.49/cplay
+++ cplay-1.49/cplay
@@ -63,7 +63,8 @@
 
 # ------------------------------------------
 XTERM = re.search("rxvt|xterm", os.environ["TERM"])
-CONTROL_FIFO = "/var/tmp/cplay_control"
+CONTROL_FIFO = "%s/cplay-control-%s" %
+    (os.environ.get("TMPDIR", "/tmp"), os.environ["USER"])
 
 # ------------------------------------------
 def which(program):
@@ -1334,8 +1335,6 @@
 # ------------------------------------------
 class FIFOControl:
     def __init__(self):
-        try: self.fd = open(CONTROL_FIFO, "rb+", 0)
-        except: self.fd = None
         self.commands = {"pause" : app.toggle_pause,
                          "next" : app.next_song,
                          "prev" : app.prev_song,
@@ -1346,6 +1345,15 @@
                          "volup" : app.inc_volume,
                          "voldown" : app.dec_volume,
                          "quit" : app.quit}
+        self.fd = None
+        try:
+            if os.path.exists(CONTROL_FIFO):
+                os.unlink(CONTROL_FIFO)
+            os.mkfifo(CONTROL_FIFO, 0600)
+            self.fd = open(CONTROL_FIFO, "rb+", 0)
+        except IOError:
+            # warn that we're disabling the fifo because someone raced us?
+            return
 
     def handle_command(self):
         command = string.strip(self.fd.readline())
@@ -1419,6 +1427,11 @@
         XTERM and sys.stderr.write("\033]0;%s\a" % "xterm")
         tty and tty.tcsetattr(sys.stdin.fileno(), tty.TCSADRAIN, self.tcattr)
         print
+        # remove temporary files
+        try:
+            if os.path.exists(CONTROL_FIFO): os.unlink(CONTROL_FIFO)
+        except IOError:
+            pass
 
     def run(self):
         while 1:

signature.asc
Description: Digital signature