Bug#433518: gsambad: Improved patch for CVE-2007-2838

Tue, 17 Jul 2007 10:21:16 -0700 

Package: gsambad
Version: 0.1.6-2
Severity: normal
Tags: patch

Hello,

I've prepared updates of gsambad for Ubuntu edgy and feisty based on the
Debian fix for this CVE. Kees Cook (member of the Ubuntu security team)
reviewed the proposed updates and was unhappy with the fix. He proposed
to use mkstemp() to create the tmp file.

Attached is the improved dpatch which was used in the Ubuntu updates.

See also http://launchpad.net/bugs/124629

Regards,

Michael

#! /bin/sh /usr/share/dpatch/dpatch-run
## 04-cve-2007-2838.dpatch by Michael Bienia <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: CVE-2007-2838: Unsafe tmp file usage.

@DPATCH@
diff -urNad gsambad-0.1.6~/src/populate_conns.c 
gsambad-0.1.6/src/populate_conns.c
--- gsambad-0.1.6~/src/populate_conns.c 2006-07-21 01:04:44.000000000 +0200
+++ gsambad-0.1.6/src/populate_conns.c  2007-07-10 18:41:47.000000000 +0200
@@ -48,6 +48,9 @@
     long file_size=0, old_pos=0;
     gchar *combined=NULL;
     gchar *utf8=NULL;
+    char command_buffer[1024];
+    char filename[] = "/tmp/gsambad-XXXXXX";
+    int tmpfd = -1;
 
     gtk_list_store_clear(widgets->conns_store);
 
@@ -64,8 +67,19 @@
     fflush(stdin);
     fflush(stdout);
 
-    /* Write the output of smbstatus to a tempfile, FIXME: Static paths and 
generally notgoodtoday */
-    if((fp=popen("touch /tmp/gsambadtmp && chmod 600 /tmp/gsambadtmp && 
smbstatus 2>&1> /tmp/gsambadtmp", "w"))==NULL)
+    /* make a secure temporary file */
+    tmpfd = mkstemp(filename);
+    if (tmpfd < 0) {
+       perror("Couldn't create safe tmp file");
+        return;
+    }
+    close(tmpfd);
+
+    /* Write the output of smbstatus to a tempfile. */
+    snprintf( command_buffer, sizeof(command_buffer) - 1,
+             "smbstatus 2>&1> %s", filename );
+
+    if((fp=popen(command_buffer, "w"))==NULL)
     {
        /* Dont show a popup */
         return;
@@ -73,7 +87,7 @@
     pclose(fp);
 
     /* We want it in a tempfile so we can scroll around in it properly */
-    if((fp=fopen("/tmp/gsambadtmp", "r"))==NULL) // FIXME: Static paths
+    if((fp=fopen(filename, "r"))==NULL) // FIXME: Static paths
     {
        /* Dont show a popup */
         return;

Reply via email to