On Sat, Jul 30, 2005 at 12:54:10AM -0400, Joey Hess wrote: > CAN-2004-2265 is a security hole in uudeview, although you won't find > much useful info in the advisories associated with that CAN. [...] > This is a race, exploitable when uudeview is run on standard input. > I'm attaching OpenPKG's entire patch for uudeview 0.5.19, since you might > find unrelated changes also of interest. The relevent fixes for this hole > are change changes involving tempnam and _FP_tempnam.
While I see the race I fail to see how the patch fixes that. > mkstemp security enhancement. Similar to > FreeBSD http://www.freebsd.org/cgi/query-pr.cgi?pr=41508 > SuSE uudeview-0.5.18-244.src.rpm [...] > --- uulib/fptools.c > +++ uulib/fptools.c > @@ -507,5 +507,15 @@ > char * TOOLEXPORT > _FP_tempnam (char *dir, char *pfx) > { > - return _FP_strdup (tmpnam (NULL)); > + int fd; > + char fileName[100]; > + > + strncpy(fileName, pfx, 90); > + strcat(fileName, "XXXXXX"); > + fd = mkstemp(fileName); > + if (fd == -1) > + return NULL; > + close(fd); > + unlink(fileName); > + return _FP_strdup (fileName); > } I mean, after closing fd _and_ unlinking the temporary file it is completly gone and the race is open again, isn't it? Wouldn't be the right fix to return the fd from the function and not bother about the filename at all? Gruesse, -- Frank Lichtenheld <[EMAIL PROTECTED]> www: http://www.djpig.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
