Re: Bug#59836: [PATCH] /tmp race in LZWStream.c

From: Christian Marillat <marillat alpes-net fr>
To: Colin Phipps <crp22 cam ac uk>
Cc: 59836 bugs debian org, gnome-devel-list gnome org
Subject: Re: Bug#59836: [PATCH] /tmp race in LZWStream.c
Date: 07 Mar 2000 20:28:09 +0100

>>>> "CP" == Colin Phipps <crp22@cam.ac.uk> writes:

Thanks.

I cc this message to gnome-devel for approval.

CP> Subject: [PATCH]
CP> Package: libgtkxmhtml1
CP> Version: 1.0.56-1
CP> Severity: normal

CP> libgtkxmhtml.so.1.0.1 is used by a number og gnome apps for rendering html
CP> documents. The library has to decompress certain files (images I suppose),
CP> so it writes them to temporary files in /tmp to do this. However, these
CP> files are created unsafely, in a way whereby a malicious user could cause it
CP> to follow symlinks or modify the file contents. See the tmpnam(3)
CP> documentation for the standard warnings.

CP> The bad opens can be seen by running 

CP> strace gnome-help-browser 2>&1 | grep /tmp

CP> and going to www.slashdot.org.

CP> Fix is easy, open safely using O_EXCL, 0600 permissions. 

CP> *** LZWStream.c.orig	Tue Mar  7 12:53:50 2000
CP> --- LZWStream.c	Tue Mar  7 14:30:34 2000
CP> ***************
CP> *** 83,88 ****
CP> --- 83,89 ----
CP> #include <stdlib.h>
CP> #include <string.h>
CP> #include <unistd.h>
CP> + #include <fcntl.h>
  
CP> #ifndef NO_XmHTML			/* defined when compiling for standalone */
CP> #ifdef WITH_GTK
CP> *************** LZWStreamInit(LZWStream *lzw)
CP> *** 811,823 ****
CP> tmpnam(lzw->zName);
CP> strcat(lzw->zName, ".Z");
  
CP> ! 	/* open it */
CP> ! 	if(!(lzw->f = fopen(lzw->zName, "w")))
CP> ! 	{
CP> sprintf(msg_buf, "LZWStream Error: couldn't open temporary file "
CP> "'%s'.", lzw->zName);
lzw-> err_msg = msg_buf;
CP> return(-1);
CP> }
  
CP> /*
CP> --- 812,828 ----
CP> tmpnam(lzw->zName);
CP> strcat(lzw->zName, ".Z");
  
CP> ! 	{ /* open it 
CP> ! 	   * CPhipps 2000/03/07- open temp file safely */
CP> ! 	  int fd = open(lzw->zName, O_CREAT|O_RDWR|O_EXCL, 0600);
CP> ! 
CP> ! 	  if((fd == -1) || !(lzw->f = fdopen(fd, "w")))
CP> ! 	    {
CP> sprintf(msg_buf, "LZWStream Error: couldn't open temporary file "
CP> "'%s'.", lzw->zName);
lzw-> err_msg = msg_buf;
CP> return(-1);
CP> + 	    }
CP> }
  
CP> /*

CP> Colin

CP> -- System Information
CP> Debian Release: woody
CP> Architecture: i386
CP> Kernel: Linux crp22 2.2.15pre13-int1-cph3 #1 Sun Mar 5 19:09:52 GMT 2000 i686

CP> Versions of packages libgtkxmhtml1 depends on:
CP> ii  libc6                         2.1.3-6    GNU C Library: Shared libraries an
CP> ii  libglib1.2                    1.2.7-2    The GLib library of C routines    
CP> ii  libgtk1.2                     1.2.7-1    The GIMP Toolkit set of widgets fo
CP> ii  libjpeg62                     6b-1.2     The Independent JPEG Group's JPEG 
CP> ii  libpng2                       1.0.5-1    PNG library - runtime             
CP> ii  xlib6g                        3.3.6-5    shared libraries required by X cli
CP> ii  xpm4g [libxpm4]               3.4k-5     the X PixMap library              
CP> ii  zlib1g [libz1]                1:1.1.3-5  compression library - runtime

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]