OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] Re: arc insecure temporary file creation

From: Joey Schulze (joeyinfodrom.org)
Date: Tue Sep 20 2005 - 13:23:30 CDT


ZATAZ Audits wrote:
> The vulnerability is caused due to temporary file being created insecurely.
> The temporary file used for archive creation could be read by untrusted
> users.

This is not just an information leak, but also a symlink vulnerability
since the temporary file is created without ensuring that either it
does not exist before or is owned by the same user, while it is placed
in a usually publically writable directory.

The following patch should fix both issues.

--- arcsvc.c~ 2005-03-13 16:48:09.000000000 +0100
+++ arcsvc.c 2005-09-17 09:41:51.000000000 +0200
-17,6 +17,9
          Computer Innovations Optimizing C86
 */
 #include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 #include "arc.h"
 #if _MTS
 #include <mts.h>
-52,7 +55,12 openarc(chg) /* open archive */
         }
 #endif
         if (chg) { /* if opening for changes */
- if (!(new = fopen(newname, OPEN_W)))
+ int fd;
+
+ if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR, S_IREAD|S_IWRITE)) == -1)
+ arcdie("Cannot create archive copy: %s", newname);
+
+ if (!(new = fdopen(fd, OPEN_W)))
                         arcdie("Cannot create archive copy: %s", newname);
 
         changing = chg; /* note if open for changes */

Regards,

        Joey

--
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/