Bug#678026: libatk-adaptor: insecure tempdir handling
On Mon, Jun 18, 2012 at 19:57:22 +0200, Julien Cristau wrote:
> Package: libatk-adaptor
> Version: 2.5.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> atk-adaptor/bridge.c::register_application() is a big pile of FAIL.
>
I'd suggest something like this to make things a little bit better.
(Completely untested.)
diff --git a/atk-adaptor/bridge.c b/atk-adaptor/bridge.c
index 3a28faf..98f91ef 100644
--- a/atk-adaptor/bridge.c
+++ b/atk-adaptor/bridge.c
@@ -328,6 +328,7 @@ register_application (SpiBridge * app)
DBusError error;
DBusPendingCall *pending;
const int max_addr_length = 128; /* should be long enough */
+ char template[] = "/tmp/at-spi2-XXXXXX";
dbus_error_init (&error);
@@ -355,13 +356,11 @@ register_application (SpiBridge * app)
if (message)
dbus_message_unref (message);
- /* could this be better, we accept some amount of race in getting the temp name*/
- /* make sure the directory exists */
- mkdir ("/tmp/at-spi2/", S_IRWXU|S_IRWXG|S_IRWXO|S_ISVTX);
- chmod ("/tmp/at-spi2/", S_IRWXU|S_IRWXG|S_IRWXO|S_ISVTX);
+ if (!mkdtemp(template))
+ return FALSE;
app->app_bus_addr = g_malloc(max_addr_length * sizeof(char));
#ifndef DISABLE_P2P
- sprintf (app->app_bus_addr, "unix:path=/tmp/at-spi2/socket-%d-%d", getpid(),
+ sprintf (app->app_bus_addr, "unix:path=%s/socket-%d-%d", template, getpid(),
rand());
#else
app->app_bus_addr [0] = '\0';
Cheers,
Julien
Reply to: