[Fwd: Etch's and Lenny's mktemp seriously broken]

To: debian-user@lists.debian.org
Subject: [Fwd: Etch's and Lenny's mktemp seriously broken]
From: Dirk Wetter <spam@drwetter.org>
Date: Fri, 15 Aug 2008 10:51:08 +0200
Message-id: <[🔎] 48A5437C.7080908@drwetter.org>


Hi,

just submitted this bug. Am I missing something and is
this somehow "on purpose"?


Cheers,
	Dirk


-------- Original-Nachricht --------
Betreff: Etch's and Lenny's mktemp seriously broken
Datum: Fri, 15 Aug 2008 10:46:09 +0200
Von: Dirk Wetter <spam@drwetter.org>
An: submit@bugs.debian.org


Package: mktemp
Version: 1.5-2
Severity: grave
Tags: security

There's a problem with the randomness of mktemp. The
string includes a number which includes somewhat
the current process ID (based on the current PID). Worse:
Subsequent calls just seem to increase the number
by one:

me@etch:~|0% cat /etc/debian_version
4.0
me@etch:~|0% ps
  PID TTY          TIME CMD
32342 pts/2    00:00:00 zsh
32366 pts/2    00:00:00 ps
me@etch:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32367
me@etch:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32368
me@etch:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32369
me@etch:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32370
me@etch:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32371
me@etch:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32372
me@etch:~|0%


If you specify more "X" you will get letters included
-- the amount seems to depend on the length of the PPID --
but as far as the numbers are concerned, it shows
the same behaviour.

This is the way it should be (Opensuse):

me@os11:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.WawJF
me@os11:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.53xOG
me@os11:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.HCmhP
me@os11:~|0% mktemp /tmp/$0.$$.XXXXX



I suggest you use

a) a mixture of letters and numbers for mktemp (more letters, since
   1 out of 26 has higher degree of randomness than 1 out of 10).
b) don't include a fixed ratio or position of letters/numbers
c) neither base the numbers or also letters on PIDs or any other
   predictable values. Use /dev/(u)random or similar.


This also applies to Debian Lenny.


Cheers,
	Dirk






--
Dirk Wetter @ Dr. Wetter IT Consulting          http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3  64E5 C967 34D8 11B7 C62F

-
Found core file older than 7 days: /usr/share/man/man5/core.5.gz

Reply to:

Follow-Ups:
- Re: [Fwd: Etch's and Lenny's mktemp seriously broken]
  - From: Sven Joachim <svenjoac@gmx.de>

Prev by Date: Re: new problem with sound
Next by Date: CUPS problem
Previous by thread: Re: What to do with multiple kernel images
Next by thread: Re: [Fwd: Etch's and Lenny's mktemp seriously broken]
Index(es):
- Date
- Thread