[Secure-testing-team] Bug#655496: Insecure temporary file creation in /tmp

Jim Paris jim at jtan.com
Wed Jan 11 17:37:05 UTC 2012 

Package: as31
Version: 2.3.1-4
Severity: important
Tags: security

as31 creates a temporary file during assembly.  It uses the UID and
random() in the filename, but the random number generator is never
seeded, and so the filename is predictably the same every time,
introducing a security hole:

  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3

The attached patch changes it to use mkstemps instead, giving:

  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-zadWSD.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-jkeFed.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-PzQu9r.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3

-jim

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (200, 'stable'), (150, 'oldstable'), (80, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages as31 depends on:
ii  libc6  2.11.2-10

as31 recommends no packages.

as31 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: as31-mkstemps.patch
Type: text/x-c
Size: 842 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120111/c2cf6e92/attachment.bin>

More information about the Secure-testing-team mailing list