Bug#655496: marked as done (Insecure temporary file creation in /tmp)

Wed, 11 Jan 2012 10:33:33 -0800 

Your message dated Wed, 11 Jan 2012 18:32:11 +0000
with message-id <e1rl2y3-00071h...@franck.debian.org>
and subject line Bug#655496: fixed in as31 2.3.1-5
has caused the Debian Bug report #655496,
regarding Insecure temporary file creation in /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
655496: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655496
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: as31
Version: 2.3.1-4
Severity: important
Tags: security

as31 creates a temporary file during assembly.  It uses the UID and
random() in the filename, but the random number generator is never
seeded, and so the filename is predictably the same every time,
introducing a security hole:

  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3

The attached patch changes it to use mkstemps instead, giving:

  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-zadWSD.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-jkeFed.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-PzQu9r.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3

-jim

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (200, 'stable'), (150, 'oldstable'), (80, 'testing'), (50, 
'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages as31 depends on:
ii  libc6  2.11.2-10

as31 recommends no packages.

as31 suggests no packages.

-- no debconf information

--- as31-2.3.1/as31/run.c	2005-09-05 12:32:42.000000000 -0400
+++ as31-2.3.1-fixed/as31/run.c	2012-01-11 12:30:19.000000000 -0500
@@ -39,8 +39,8 @@
 	char *incLineBuffer=NULL;
 	int incSizeBuf=0;
 	FILE* includeFile=NULL;
+	int fd;
 
-	uid_t uid; 
 	/* first, figure out all the file names */
 
 	dashl = lst;
@@ -95,11 +95,18 @@
 		}
 	}
 	
-	uid = geteuid();
-	sprintf(tmpName,"/tmp/as31-%i-%ld.asm",uid,random());
-	fin = fopen(tmpName, "w");
+	sprintf(tmpName,"/tmp/as31-XXXXXX.asm");
+	fd = mkstemps(tmpName, 4);
+	if (fd == -1) {
+		mesg_f("Cannot create temp file\n");
+		if (outfile) free(outfile);
+		if (lstfile) free(lstfile);
+		return -1;
+	}
+	fin = fdopen(fd, "w");
 	if (fin == NULL) {
 		mesg_f("Cannot open temp file: %s\n",tmpName);
+		close(fd);
 		if (outfile) free(outfile);
 		if (lstfile) free(lstfile);
 		return -1;

--- End Message ---
--- Begin Message --- 
Source: as31
Source-Version: 2.3.1-5

We believe that the bug you reported is fixed in the latest version of
as31, which is due to be installed in the Debian FTP archive:

as31_2.3.1-5.debian.tar.gz
  to main/a/as31/as31_2.3.1-5.debian.tar.gz
as31_2.3.1-5.dsc
  to main/a/as31/as31_2.3.1-5.dsc
as31_2.3.1-5_i386.deb
  to main/a/as31/as31_2.3.1-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 655...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bd...@gag.com> (supplier of updated as31 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Jan 2012 11:15:32 -0700
Source: as31
Binary: as31
Architecture: source i386
Version: 2.3.1-5
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bd...@gag.com>
Changed-By: Bdale Garbee <bd...@gag.com>
Description: 
 as31       - Intel 8031/8051 assembler
Closes: 655487 655496
Changes: 
 as31 (2.3.1-5) unstable; urgency=low
 .
   * force regeneration of stale upstream parser.c to resolve "location
     counter overlaps" errors on 64-bit machines, closes: #655487
   * patch from Jim Paris to use mkstemps, closes: #655496
Checksums-Sha1: 
 c64f240bb297ccafc3c8529c041033754cbd4f26 1700 as31_2.3.1-5.dsc
 347c7f3fdf7660edd5b1cd10e9101ac83e386ce4 24113 as31_2.3.1-5.debian.tar.gz
 d42823a1de3ac6c60efc8dbb62bd2d6739112ec1 26118 as31_2.3.1-5_i386.deb
Checksums-Sha256: 
 b052fff7810074d8f5db5951f81d9e12c2730aef6fb031d6b382b0f33a09af32 1700 
as31_2.3.1-5.dsc
 a007cbe1ddf03bbc94af98f76f054cc1e7b5395597062b1879bef25c938e9a67 24113 
as31_2.3.1-5.debian.tar.gz
 b293cf7c09b64f6aca31cb445badcb53a212238f6e636a8b79fb270bf0f9cf02 26118 
as31_2.3.1-5_i386.deb
Files: 
 cc87a6d573fbd7c32b56fed72af46ab7 1700 devel optional as31_2.3.1-5.dsc
 f0075a4263a2665ff6006bab0f4ed037 24113 devel optional 
as31_2.3.1-5.debian.tar.gz
 7cd586daa27c1e710ce109bd38c06fcb 26118 devel optional as31_2.3.1-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIVAwUBTw3UFzqTYZbAldlBAQohYg/+It27MLYpKcUiLOXwqiq4GOYgXDMvGm7z
n4YuNRW+G2MXE/Bc1YcV0nppDn1VwDB7jiy8EtXyqhaCbnY17RExqyNgNBsiYDdW
Qy30xSyJpvmALP8UA0DdkpEt85xBcXP5cyc+JN7uV9jqyIQvdAQ98C8OD4fPyGX+
NNqUJnTfdL0cEn37wZvJdPGXs1qggLt+zGcdEAe9LfyQY0pZHhD23jfomUO5DX3X
MSBGppAY2Lt8GNHeWWDKfIygDf47Jt/naTibXPXEgiKLBYniwhvur7PABGidAJQ4
LNaozgoJz7uc/fsDbjOWJorgs8GdUXnrg8oi2DBBWlKJ5M4OEl7vC5PjWFfQK/xu
EG++lIaqqgoZia51dJiyMNNQYbx9faMEWsPhPFUU8UDze9va9pUKFyqlfimziYgQ
ftoClQHUo3NzrkfK+wVzXBWnPvijXrUnQd3Vviy0nXP+ayFD97b7faEV8+wDCVLY
MngrgDxGp4XrnhPSHWtebwb1QJMFccvOBvoJbF/OAQVPRAeiWQXU+1h57LYYfYYZ
y06nWW90itf9JL3SbCbdWAzipHgnequp3x6Ra2S4k7KsHbqNHeBZ2DvEjQiouxh6
K21X1ZVHpdilZRuxS/NSO9m4DfK69okDzmfwDHtdQ0qUsfwRbWZqdylG2rFJqy9M
whbrcR6j16U=
=G2eN
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to