Re: mkstemp bug in the FVWM 2.5 branch with possible security consequences

[Dominik Vogt]

On Tue, Apr 04, 2006 at 02:38:21AM +0400, Serge (gentoosiast) Koksharov wrote:
   Good (day|morning|night) everyone,
 
 During examination of FvwmM4 '--debug' option I decided to examine FVWM's
 temporary file creation mechanism. Can you believe what I dig out:
 
 In libs/System.c there is a pragma '#ifdef HAVE_SAFTY_MKSTEMP'. This
 construction decides based on configure script system check whether to
 use underlying OS's mkstemp function (if it considered secure) or FVWM's
 internal one, which lies at the bottom of the same libs/System.c file.
 But acinclude.m4 defines 'HAVE_SAFETY_MKSTEMP' pragma, not
 'HAVE_SAFTY_MKSTEMP' which found in libs/System.c. So, in any case
 FVWM's internal implementation of mkstemp used even if the OS have its
 own _much more secure_ version of this function. This bug probably
 existed for almost three years and was introduced on 2003-08-27
 according to main Changelog. I attached patch which applies cleanly
 against 2.5.x CVS sources. It also corrects all other 'safty' typos in
 the source tree. Somebody on the list needs to verify stable 2.4 branch
 also.
 
 This example shows that a single typo can potentially lead to the big
 disaster. I hope it will be good lesson to all of us. In future, all
 workers should review every commit more attentively. It's much easier to
 not introduce newer bugs and typos than to find and fix them afterwards.
 I wonder, was FVWM's code extensively audited? Who knows that may be
 lurking inside?

I have committed this patch.

Ciao

Dominik ^_^  ^_^

 --
Dominik Vogt, [EMAIL PROTECTED]


signature.asc
Description: Digital signature

Re: mkstemp bug in the FVWM 2.5 branch with possible security consequences

[seventh guardian]

On 4/3/06, Serge (gentoosiast) Koksharov [EMAIL PROTECTED] wrote:
   Good (day|morning|night) everyone,

 During examination of FvwmM4 '--debug' option I decided to examine FVWM's
 temporary file creation mechanism. Can you believe what I dig out:

 In libs/System.c there is a pragma '#ifdef HAVE_SAFTY_MKSTEMP'. This
 construction decides based on configure script system check whether to
 use underlying OS's mkstemp function (if it considered secure) or FVWM's
 internal one, which lies at the bottom of the same libs/System.c file.
 But acinclude.m4 defines 'HAVE_SAFETY_MKSTEMP' pragma, not
 'HAVE_SAFTY_MKSTEMP' which found in libs/System.c. So, in any case
 FVWM's internal implementation of mkstemp used even if the OS have its
 own _much more secure_ version of this function. This bug probably
 existed for almost three years and was introduced on 2003-08-27
 according to main Changelog. I attached patch which applies cleanly
 against 2.5.x CVS sources. It also corrects all other 'safty' typos in
 the source tree. Somebody on the list needs to verify stable 2.4 branch
 also.


Wow! And there must be more, as the code is quite old..

 This example shows that a single typo can potentially lead to the big
 disaster. I hope it will be good lesson to all of us. In future, all
 workers should review every commit more attentively. It's much easier to
 not introduce newer bugs and typos than to find and fix them afterwards.
 I wonder, was FVWM's code extensively audited? Who knows that may be
 lurking inside?


I guess there should be a complete rewrite for the next major version,
but on the other hand there's a need to release a stable 2.6.. And
this last task is proving to be quite discouraging, as people with new
ideas tend to get bored when all they should do is to clean up the old
code.. There's a TODO list in the source that must (should) be done
before the next release.

Auditing the code may be a huge task, but it surely helps the next
release, and any help is wellcome! On the other hand it can be useless
in the iminence of a major rewrite, so if there is really going to be
one, maybe we should audit the code as we rewrite it, having the
errors corrected on the stable 2.6 version.

This is just my two cents, anyone is free to disagree..

Cheers!
   Renato Caldas