Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)

To: Matt Zimmerman <mdz@debian.org>
Cc: 174987@bugs.debian.org
Subject: Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
From: Julian Gilbey <jdg@polya.uklinux.net>
Date: Sun, 5 Jan 2003 11:55:57 +0000
Message-id: <[🔎] 20030105115557.GB725@polya>
Reply-to: Julian Gilbey <jdg@polya.uklinux.net>, 174987@bugs.debian.org
In-reply-to: <[🔎] 20030105023439.GG30199@mizar.alcor.net>
References: <[🔎] 20030103090045.GA1533@polya> <[🔎] 20030103155705.GB17378@mizar.alcor.net> <[🔎] 20030104222009.GB813@polya> <[🔎] 20030105014218.GF30199@mizar.alcor.net> <[🔎] 20030105023000.GE3960@polya> <[🔎] 20030105023439.GG30199@mizar.alcor.net>

On Sat, Jan 04, 2003 at 09:34:39PM -0500, Matt Zimmerman wrote:
> > The point, though, is: once the file has been created, a symlink
> > attack can be used if the directory is world-writeable (with no sticky
> > bit set).  Does tempfile only create files in "safe" directories?
> 
> man tempfile:
> 
>        The directory to place the file is searched for in the following order:
> 
>        a)     The directory specified by the environment variable  TMPDIR,  if
>               it is writable.
> 
>        b)     The directory specified by the --directory argument, if given.
> 
>        c)     The directory /tmp.

No, that's not good enough as this bug report points out: if TMPDIR is
specified and is world-writable without a sticky bit, or if /tmp is
similarly, then this opens us up for a race condition.

I don't have a good suggestion for how to fix tempfile properly, other
than for it to test the directory and to fail if these conditions are
not properly met.

I'm going to send this on to security.

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

        Julian Gilbey, website: http://www.polya.uklinux.net/
   Debian GNU/Linux Developer, see: http://people.debian.org/~jdg/
     Visit http://www.thehungersite.com/ to help feed the hungry

Reply to:

Follow-Ups:
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Julian Gilbey <jdg@polya.uklinux.net>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Julian Gilbey <jdg@polya.uklinux.net>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Julian Gilbey <jdg@polya.uklinux.net>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Bug#170382: acknowledged by developer (Bug#170382: fixed in tetex-base 1.0.2+20021025-4)
Next by Date: Re: CVS kohda tetex-bin: removed ctanglie.1 cweave.1 mf-nowin.1 from dh_undocumented entries
Previous by thread: Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
Next by thread: Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
Index(es):
- Date
- Thread