Bug#678026: libatk-adaptor: insecure tempdir handling

[Julien Cristau <jcristau@debian.org>]

On Mon, Jun 18, 2012 at 19:57:22 +0200, Julien Cristau wrote:

> Package: libatk-adaptor
> Version: 2.5.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> atk-adaptor/bridge.c::register_application() is a big pile of FAIL.
> 
I'd suggest something like this to make things a little bit better.
(Completely untested.)

diff --git a/atk-adaptor/bridge.c b/atk-adaptor/bridge.c
index 3a28faf..98f91ef 100644
--- a/atk-adaptor/bridge.c
+++ b/atk-adaptor/bridge.c
@@ -328,6 +328,7 @@ register_application (SpiBridge * app)
   DBusError error;
   DBusPendingCall *pending;
   const int max_addr_length = 128; /* should be long enough */
+  char template[] = "/tmp/at-spi2-XXXXXX";
 
   dbus_error_init (&error);
 
@@ -355,13 +356,11 @@ register_application (SpiBridge * app)
   if (message)
     dbus_message_unref (message);
 
-  /* could this be better, we accept some amount of race in getting the temp name*/
-  /* make sure the directory exists */
-  mkdir ("/tmp/at-spi2/", S_IRWXU|S_IRWXG|S_IRWXO|S_ISVTX);
-  chmod ("/tmp/at-spi2/", S_IRWXU|S_IRWXG|S_IRWXO|S_ISVTX);
+  if (!mkdtemp(template))
+         return FALSE;
   app->app_bus_addr = g_malloc(max_addr_length * sizeof(char));
 #ifndef DISABLE_P2P
-  sprintf (app->app_bus_addr, "unix:path=/tmp/at-spi2/socket-%d-%d", getpid(),
+  sprintf (app->app_bus_addr, "unix:path=%s/socket-%d-%d", template, getpid(),
            rand());
 #else
   app->app_bus_addr [0] = '\0';


Cheers,
Julien