[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] New version of ghostscript released

(I replied to the security announcement, and I didn't notice that
security@debian.org wasn't the same thing as
debian-security@lists.debian.org, so I'm sending it here, where I meant to.)

> ghostscript uses temporary files to do some of its work. Unfortunately
> the method used to create those files wasn't secure: mktemp was used
> to create a name for a temporary file, but the file was not opened
> safely.
 There seems to be a lot of this going on.  Is it possible to modify glibc
so that it flags dangerous actions with stuff in /tmp?  I don't thing such a
modified glibc should be part of the glibc package, but it could be useful
for people who wanted to look for programs with problems.  After we think we
have most of them :), maybe some checks for using deprecated functions could
be put in so calling tempnam would result in a warning being syslogged or a
warning printed to stdout, or something, asking the user to tell the
maintainer that the program did <whatever>.  This would catch some problems in
programs that aren't widely used, and so probably won't get audited.

 I guess the things to look for would be calls to tempnam, and calls to open
with O_CREAT and not O_EXCL, on files in publically writeable directories.
(This isn't quite right, I'm sure, but something in that vein.)  This would
add some overhead, and so it wouldn't be appropriate to use in the standard C

 For starters, grep -l tmpnam -r /usr/bin/* gives:

 I notice that this list includes dpkg!  Somebody should have a look...

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: