FreeBSD Port: mpack-1.6
Paul Schmehl
pauls at utdallas.edu
Wed Mar 1 12:08:23 PST 2006
--On Wednesday, March 01, 2006 22:33:04 +0300 Sergey Matveychuk
<sem at FreeBSD.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Boris Samorodov wrote:
>> Can't say for sure why that patch exists, but deletting
>> files/patch-unixpk_c should help. Cvs says "Yet another overflow
>> check, better temp file name & misc cleanups". Assume this comment is
>> for the whole commit.
>
> The patch fixes an insecure temp file handling. But I think the handling
> could be changed between versions and it's useless (even harm?) now.
>
I included it in my patch anyway.
I found the problem, but before I commit it, I want to make sure I'm not
doing something stupid.
In unixos.c you will find this construct:
#ifdef O_EXCL
fd=open(fname, O_RDWR|O_CREAT|O_EXCL, 0644);
#else
fd=open(fname, O_RDWR|O_CREAT|O_TRUNC, 0644);
#endif
I don't understand this. Why would you use O_EXCL here? ISTM there's
almost no chance of overwriting an existing file, because the filename
created is mpackXXXXXX, where XXXXXX is generated this way:
93231 mpack CALL getpid
93231 mpack RET getpid 93231/0x16c2f
93231 mpack CALL gettimeofday(0xbfbfd368,0)
93231 mpack RET gettimeofday 0
93231 mpack CALL __sysctl(0xbfbfd368,0x2,0x804d5e0,0xbfbfd384,0,0)
93231 mpack RET __sysctl 0
93231 mpack CALL open(0x804f060,0xa02,0x1a4)
93231 mpack NAMI "/tmp/mpackkZ1dQH"
So the chances of overwriting a file with the same random char set is close
to nil. But even *if* you overwrite the file, it's going to be one that
you created previously using mpack, so what's the big deal? That previous
operation would have already concluded - successfully or unsuccessfully,
right?
So I removed the ifdef statement and left just the file descriptor line:
fd=open(fname, O_RDWR|O_CREAT|O_TRUNC, 0644);
Now the program works as expected. Can anyone tell me why you would want
to use O_EXCL here?
If I haven't missed something really terrible, I'll commit the patches, and
the port should be fixed (at least this problem.)
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
More information about the freebsd-ports
mailing list