ZATAZ Audits wrote:
> The vulnerability is caused due to temporary file being created insecurely.
> The temporary file used for archive creation could be read by untrusted
> users.
This is not just an information leak, but also a symlink vulnerability
since the temporary file is created without ensuring that either it
does not exist before or is owned by the same user, while it is placed
in a usually publically writable directory.
The following patch should fix both issues.
--- arcsvc.c~ 2005-03-13 16:48:09.000000000 +0100
+++ arcsvc.c 2005-09-17 09:41:51.000000000 +0200
@@ -17,6 +17,9 @@
Computer Innovations Optimizing C86
*/
#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
#include "arc.h"
#if _MTS
#include <mts.h>
@@ -52,7 +55,12 @@ openarc(chg) /* open archive */
}
#endif
if (chg) { /* if opening for changes */
- if (!(new = fopen(newname, OPEN_W)))
+ int fd;
+
+ if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR,
S_IREAD|S_IWRITE)) == -1)
+ arcdie("Cannot create archive copy: %s", newname);
+
+ if (!(new = fdopen(fd, OPEN_W)))
arcdie("Cannot create archive copy: %s", newname);
changing = chg; /* note if open for changes */
Regards,
Joey
--
Linux - the choice of a GNU generation.
Please always Cc to me when replying to me on the lists.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
