Bug#329053: Fwd: [Full-disclosure] Re: arc insecure temporary file creation

Wed, 21 Sep 2005 01:33:41 -0700 

tag 329053 patch
thanks

Hi!

Joey posted a patch on full-disclosure, which looks fine.

Martin

----- Forwarded message from Joey Schulze <[EMAIL PROTECTED]> -----

Date: Tue, 20 Sep 2005 20:23:30 +0200
From: Joey Schulze <[EMAIL PROTECTED]>
To: [email protected]
Cc: 
Subject: [Full-disclosure] Re: arc insecure temporary file creation
X-Spam-Status: No, score=0.1 required=4.0 tests=AWL,BAYES_50 autolearn=no 
        version=3.0.3

ZATAZ Audits wrote:
> The vulnerability is caused due to temporary file being created insecurely.
> The temporary file used for archive creation could be read by untrusted 
> users.

This is not just an information leak, but also a symlink vulnerability
since the temporary file is created without ensuring that either it
does not exist before or is owned by the same user, while it is placed
in a usually publically writable directory.

The following patch should fix both issues.

--- arcsvc.c~   2005-03-13 16:48:09.000000000 +0100
+++ arcsvc.c    2005-09-17 09:41:51.000000000 +0200
@@ -17,6 +17,9 @@
         Computer Innovations Optimizing C86
 */
 #include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 #include "arc.h"
 #if    _MTS
 #include <mts.h>
@@ -52,7 +55,12 @@ openarc(chg)                 /* open archive */
        }
 #endif
        if (chg) {              /* if opening for changes */
-               if (!(new = fopen(newname, OPEN_W)))
+               int fd;
+
+               if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR, 
S_IREAD|S_IWRITE)) == -1)
+                       arcdie("Cannot create archive copy: %s", newname);
+
+               if (!(new = fdopen(fd, OPEN_W)))
                        arcdie("Cannot create archive copy: %s", newname);
 
        changing = chg;         /* note if open for changes */

Regards,

        Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----- End forwarded message -----

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to