NetBSD Problem Report #32805

From smb@cs.columbia.edu  Sun Feb 12 15:02:31 2006
Return-Path: <smb@cs.columbia.edu>
Received: from machshav.com (machshav.com [147.28.0.16])
	by narn.netbsd.org (Postfix) with ESMTP id 7C9E363B879
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 12 Feb 2006 15:02:31 +0000 (UTC)
Message-Id: <20060212150230.CF0FEBB03B@bigboy.machshav.com>
Date: Sun, 12 Feb 2006 10:02:30 -0500 (EST)
From: smb@cs.columbia.edu
Reply-To: smb@cs.columbia.edu
To: gnats-bugs@netbsd.org
Subject: file creation race condition in Xsession in xsrc, xorg
X-Send-Pr-Version: 3.95

>Number:         32805
>Category:       xsrc
>Synopsis:       there's a /tmp file creation race condition in Xsession
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    xsrc-manager
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 12 15:05:00 +0000 2006
>Closed-Date:    Tue Jun 01 02:57:41 +0000 2010
>Last-Modified:  Tue Jun 01 02:57:41 +0000 2010
>Originator:     Steven M. Bellovin
>Release:        NetBSD 3.99.15
>Organization:
>Environment:


System: NetBSD bigboy.machshav.com 3.99.15 NetBSD 3.99.15 (BIGBOY) #0: Fri Feb 10 08:50:25 EST 2006 smb@bigboy.machshav.com:/usr/BUILD/obj/sys/arch/i386/compile/BIGBOY i386
Architecture: i386
Machine: i386
>Description:
	Xsession tries to create a log file; among the possiblities are
	/tmp/xses-$USER.  But an attacker could create a symlink of
	that name pointing somewhere else.  Normally, this would be
	a very serious error; however, most of the time it will succeed
	in creating $HOME/.xsession-errors and not try /tmp.

	The problem is in both xsrc and xorg.
>How-To-Repeat:
	See above.
>Fix:
	Use mktemp instead.

>Release-Note:

>Audit-Trail:
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: PR/32805 CVS commit: xsrc/xfree/xc/programs/xdm/config
Date: Sun, 12 Feb 2006 18:47:41 +0000 (UTC)

 Module Name:	xsrc
 Committed By:	christos
 Date:		Sun Feb 12 18:47:41 UTC 2006

 Modified Files:
 	xsrc/xfree/xc/programs/xdm/config: Xsession

 Log Message:
 PR/32805: Steven M. Bellovin: There's a /tmp file creation race condition in
 Xsession; use mktemp as suggested in the PR.


 To generate a diff of this commit:
 cvs rdiff -r1.3 -r1.4 xsrc/xfree/xc/programs/xdm/config/Xsession

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@netbsd.org
Cc: christos@netbsd.org
Subject: Re: PR/32805 CVS commit: xsrc/xfree/xc/programs/xdm/config
Date: Mon, 13 Feb 2006 09:48:19 -0800 (PST)

 On Sun, 12 Feb 2006, Christos Zoulas wrote:

 >  PR/32805: Steven M. Bellovin: There's a /tmp file creation race condition in
 >  Xsession; use mktemp as suggested in the PR.

 I am curious: why use the ".XXXXXX" template and then mv into place? (Why 
 not just mktemp "$errfile"?)

  Jeremy C. Reed

  	  	 	 technical support & remote administration
 	  	 	 http://www.pugetsoundtechnology.com/

From: christos@zoulas.com (Christos Zoulas)
To: "Jeremy C. Reed" <reed@reedmedia.net>, gnats-bugs@netbsd.org
Cc: 
Subject: Re: PR/32805 CVS commit: xsrc/xfree/xc/programs/xdm/config
Date: Mon, 13 Feb 2006 12:58:54 -0500

 On Feb 13,  9:48am, reed@reedmedia.net ("Jeremy C. Reed") wrote:
 -- Subject: Re: PR/32805 CVS commit: xsrc/xfree/xc/programs/xdm/config

 | On Sun, 12 Feb 2006, Christos Zoulas wrote:
 | 
 | >  PR/32805: Steven M. Bellovin: There's a /tmp file creation race condition in
 | >  Xsession; use mktemp as suggested in the PR.
 | 
 | I am curious: why use the ".XXXXXX" template and then mv into place? (Why 
 | not just mktemp "$errfile"?)

 I don't want just to open the "known" filename with exclusive
 permissions.  I want to get a new file, point the error stream to
 that, and then if possible move it to the "known" filename. I am
 trying to avoid the overwrite a random file through symlink attack;
 the mv will overwrite the symlink with my newly created file if
 successful.

 christos

State-Changed-From-To: open->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Tue, 01 Jun 2010 02:57:41 +0000
State-Changed-Why:
this was fixed ages ago; and the fix remains in modern xorg tree.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.