Package: texinfo
Version: 4.7-2.2
Severity: important
Tags: security
There is a race condition on creating temporary files in texindex.
The following function generates the name of the temporary file:
static char *
maketempname (int count)
{
static char *tempbase = NULL;
char tempsuffix[10];
if (!tempbase)
{
int fd;
tempbase = concat (tempdir, "txidxXXXXXX");
fd = mkstemp (tempbase);
if (fd == -1)
pfatal_with_name (tempbase);
}
sprintf (tempsuffix, ".%d", count);
return concat (tempbase, tempsuffix);
}
which is used later as
char *outname = maketempname (++tempcount);
FILE *ostream = fopen (outname, "w");
Since the further filenames are deterministic after the first one
is generated, this is easily exploitable.
The use case is rather rare though since the temporary file are only
generated if the file to sort is longer than 50.000 lines which is
probably not too common.
In OpenBSD this seems to have been fixed in 2000 (sic!), see this patch
http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/texinfo/util/texindex.c.diff?r1=1.2&r2=1.3
(which probably doesn't apply today cleanly anymore but could be adapted).
It introduces a possibility for DoS but fixes the race...
Gruesse,
Frank Lichtenheld
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages texinfo depends on:
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
texinfo recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
