About [ZH2005-02SA] Insecure tmp file creation in Wine

Giovanni Delvecchio bad.penguin at linuxmail.org
Thu Mar 24 08:27:50 CST 2005


hello list,
i noted that the patch provided ( http://www.winehq.org/hypermail/wine-devel/2005/03/0624.html )
to fix that problem isn't secure yet, because a symlink attack could be possible if /tmp is a mounted NFS file system.

Indeed:

1)The name of the file in /tmp is  easly predictable , it uses getpid();
2)O_EXCL  when used with O_CREAT, if the file already exists it is an error and the open will fail.  O_EXCL  is broken 
on NFS file systems, programs which rely on it for performing locking  tasks  will  contain  a race   condition.


Possible fix using tempnam() function to generate a psued-random string for tmp file name:
_______________________________________________________________
--- misc/registry.c Thu Mar 24 13:36:43 2005
+++ misc/registry.c Thu Mar 24 13:46:46 2005
@@ -1222,12 +1222,11 @@
static LPSTR _get_tmp_fn(FILE **f)
{
    LPSTR ret;
-    int tmp_fd,count;
+    int tmp_fd;

-    ret = _xmalloc(50);
-    for (count = 0;;) {
-        sprintf(ret,"/tmp/reg%lx%04x.tmp",(long)getpid(),count++);
-        if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0666)) != -1) break;
+    for (;;) {
+        ret = tempnam("/tmp", "reg");
+        if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0600)) != -1) break;
        if (errno != EEXIST) {
            ERR("Unexpected error while open() call: %s\n",strerror(errno));
            free(ret);
_______________________________________________________________


Best regard,

Giovanni Delvecchio

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze




More information about the wine-devel mailing list