[EMAIL PROTECTED] (Karl Berry) wrote: > > This has been assigned CAN-2005-3011, please mention this number in > > the changelog when you fix this to allow easy tracking. > > Someone, please send me the actual bug report, and (hopefully) a fix.
Excuse me - any Debian bug report can be accessed via its bug number, so this time it is http://bugs.debian.org/328365 The text is: ,---- | There is a race condition on creating temporary files in texindex. | The following function generates the name of the temporary file: | static char * | maketempname (int count) | { | static char *tempbase = NULL; | char tempsuffix[10]; | | if (!tempbase) | { | int fd; | tempbase = concat (tempdir, "txidxXXXXXX"); | | fd = mkstemp (tempbase); | if (fd == -1) | pfatal_with_name (tempbase); | } | | sprintf (tempsuffix, ".%d", count); | return concat (tempbase, tempsuffix); | } | | which is used later as | | char *outname = maketempname (++tempcount); | FILE *ostream = fopen (outname, "w"); | | Since the further filenames are deterministic after the first one | is generated, this is easily exploitable. | The use case is rather rare though since the temporary file are only | generated if the file to sort is longer than 50.000 lines which is | probably not too common. `---- Frank also commented on a potential patch: ,---- | In OpenBSD this seems to have been fixed in 2000 (sic!), see this patch | http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/texinfo/util/texindex.c.diff?r1=1.2&r2=1.3 | (which probably doesn't apply today cleanly anymore but could be adapted). | It introduces a possibility for DoS but fixes the race... | `---- I don't see why texindex cannot simply use completely random filenames? They are saved in an array and accessed as tempfiles[i], anyway. Regards, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer
