ports/52098: security/fuzz: privilege escalation bug
Jim Geovedi
jim at corebsd.or.id
Mon May 12 09:20:09 UTC 2003
>Number: 52098
>Category: ports
>Synopsis: security/fuzz: privilege escalation bug
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon May 12 02:20:07 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Jim Geovedi
>Release: FreeBSD 4.6-STABLE i386
>Organization:
Liquid Magnesium Networks
>Environment:
System: FreeBSD toxic.magnesium.net 4.6-STABLE FreeBSD 4.6-STABLE #5: Thu Aug 1 09:24:17 PDT 2002 unfurl at toxic.magnesium.net:/users/world/obj/users/world/src/sys/TOXIC i386
>Description:
fuzz creates a temporary file without taking appropriate security
precautions. This bug could allow an attacker to gain the privileges
of the user invoking fuzz, excluding root (fuzz does not allow itself
to be invoked as root).
>How-To-Repeat:
>Fix:
--- fuzz.diff begins here ---
diff -uNr --exclude=CVS fuzz.orig/Makefile fuzz/Makefile
--- fuzz.orig/Makefile Thu Feb 20 10:59:04 2003
+++ fuzz/Makefile Mon May 12 02:02:37 2003
@@ -7,6 +7,7 @@
PORTNAME= fuzz
PORTVERSION= 0.6
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= fuzz
diff -uNr --exclude=CVS fuzz.orig/files/patch-fuzz.c fuzz/files/patch-fuzz.c
--- fuzz.orig/files/patch-fuzz.c Wed Dec 31 16:00:00 1969
+++ fuzz/files/patch-fuzz.c Mon May 12 01:57:12 2003
@@ -0,0 +1,20 @@
+--- fuzz.c.orig Mon May 12 01:49:39 2003
++++ fuzz.c Mon May 12 01:53:44 2003
+@@ -387,10 +387,16 @@
+ int progpipe[2],status;
+ char sendnewline=0;
+ unsigned long curchar=0,linelen=0;
++ int fd;
+
+ // finish setting up files
+ if(!execute_filename){
+- snprintf(outfilename,MAXPATH,"/tmp%s.%lu",strrchr(progname,'/'),runs);
++ snprintf(outfilename,MAXPATH,"/tmp%s.%lu.XXXXXX",strrchr(progname,'/'),runs);
++ if ((fd=mkstemp(outfilename)) < 0) {
++ perror("Unable to create temporary file");
++ abort();
++ }
++ close(fd);
+ if((outfile=fopen(outfilename,"w"))==NULL){
+ fprintf(stderr,"Can't fopen outfile.\n");
+ abort();
--- fuzz.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list