ports/52098: security/fuzz: privilege escalation bug

Mon May 12 09:20:09 UTC 2003

>Number:         52098
>Category:       ports
>Synopsis:       security/fuzz: privilege escalation bug
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 12 02:20:07 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Jim Geovedi
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
Liquid Magnesium Networks
>Environment:
System: FreeBSD toxic.magnesium.net 4.6-STABLE FreeBSD 4.6-STABLE #5: Thu Aug 1 09:24:17 PDT 2002 unfurl at toxic.magnesium.net:/users/world/obj/users/world/src/sys/TOXIC i386


	
>Description:
	fuzz creates a temporary file without taking appropriate security
	precautions.  This bug could allow an attacker to gain the privileges
	of the user invoking fuzz, excluding root (fuzz does not allow itself
	to be invoked as root).
>How-To-Repeat:
	
>Fix:

--- fuzz.diff begins here ---
diff -uNr --exclude=CVS fuzz.orig/Makefile fuzz/Makefile
--- fuzz.orig/Makefile	Thu Feb 20 10:59:04 2003
+++ fuzz/Makefile	Mon May 12 02:02:37 2003
@@ -7,6 +7,7 @@
 
 PORTNAME=	fuzz
 PORTVERSION=	0.6
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	fuzz
diff -uNr --exclude=CVS fuzz.orig/files/patch-fuzz.c fuzz/files/patch-fuzz.c
--- fuzz.orig/files/patch-fuzz.c	Wed Dec 31 16:00:00 1969
+++ fuzz/files/patch-fuzz.c	Mon May 12 01:57:12 2003
@@ -0,0 +1,20 @@
+--- fuzz.c.orig	Mon May 12 01:49:39 2003
++++ fuzz.c	Mon May 12 01:53:44 2003
+@@ -387,10 +387,16 @@
+     int progpipe[2],status;
+     char sendnewline=0;
+     unsigned long curchar=0,linelen=0;
++    int fd;
+ 
+     // finish setting up files
+     if(!execute_filename){
+-      snprintf(outfilename,MAXPATH,"/tmp%s.%lu",strrchr(progname,'/'),runs);
++      snprintf(outfilename,MAXPATH,"/tmp%s.%lu.XXXXXX",strrchr(progname,'/'),runs);
++      if ((fd=mkstemp(outfilename)) < 0) {
++         perror("Unable to create temporary file");
++         abort();
++      }
++      close(fd);
+       if((outfile=fopen(outfilename,"w"))==NULL){
+ 	fprintf(stderr,"Can't fopen outfile.\n");
+ 	abort();
--- fuzz.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

