[Bug 2715] Insecure file creation of "regxxxxxxx.tmp" in /tmp
Wine Bugs
wine-bugs at winehq.org
Mon Feb 14 05:54:38 CST 2005
http://bugs.winehq.org/show_bug.cgi?id=2715
------- Additional Comments From badpenguin79 at hotmail.com 2005-14-02 05:54 -------
Note: Also, 20050211 release is affected .
The problem is in the function _get_tmp_fn(FILE **) ( in
$WineRelease/misc/registry.c)
---------------------------------------------------------
static LPSTR _get_tmp_fn(FILE **f)
{
LPSTR ret;
int tmp_fd,count;
ret = _xmalloc(50);
for (count = 0;;) {
sprintf(ret,"/tmp/reg%lx%04x.tmp",(long)getpid(),count++);
--> if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0666)) != -1) break;
if (errno != EEXIST) {
ERR("Unexpected error while open() call: %s\n",strerror(errno));
free(ret);
*f = NULL;
return NULL;
}
}
---------------------------------------------------
When regxxxxxx.tmp is created by open() 0666 mode is used.
Since that default umask = 022 :
(0666) &~ (022) = 0644 = -rw-r--r--
Solution:
Use .. open(ret,O_CREAT | O_EXCL | O_WRONLY,0600))..
Best Regard,
Giovanni Delvecchio
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the wine-bugs
mailing list