NetBSD Problem Report #32805
From smb@cs.columbia.edu Sun Feb 12 15:02:31 2006
Return-Path: <smb@cs.columbia.edu>
Received: from machshav.com (machshav.com [147.28.0.16])
by narn.netbsd.org (Postfix) with ESMTP id 7C9E363B879
for <gnats-bugs@gnats.NetBSD.org>; Sun, 12 Feb 2006 15:02:31 +0000 (UTC)
Message-Id: <20060212150230.CF0FEBB03B@bigboy.machshav.com>
Date: Sun, 12 Feb 2006 10:02:30 -0500 (EST)
From: smb@cs.columbia.edu
Reply-To: smb@cs.columbia.edu
To: gnats-bugs@netbsd.org
Subject: file creation race condition in Xsession in xsrc, xorg
X-Send-Pr-Version: 3.95
>Number: 32805
>Category: xsrc
>Synopsis: there's a /tmp file creation race condition in Xsession
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: xsrc-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Feb 12 15:05:00 +0000 2006
>Closed-Date: Tue Jun 01 02:57:41 +0000 2010
>Last-Modified: Tue Jun 01 02:57:41 +0000 2010
>Originator: Steven M. Bellovin
>Release: NetBSD 3.99.15
>Organization:
>Environment:
System: NetBSD bigboy.machshav.com 3.99.15 NetBSD 3.99.15 (BIGBOY) #0: Fri Feb 10 08:50:25 EST 2006 smb@bigboy.machshav.com:/usr/BUILD/obj/sys/arch/i386/compile/BIGBOY i386
Architecture: i386
Machine: i386
>Description:
Xsession tries to create a log file; among the possiblities are
/tmp/xses-$USER. But an attacker could create a symlink of
that name pointing somewhere else. Normally, this would be
a very serious error; however, most of the time it will succeed
in creating $HOME/.xsession-errors and not try /tmp.
The problem is in both xsrc and xorg.
>How-To-Repeat:
See above.
>Fix:
Use mktemp instead.
>Release-Note:
>Audit-Trail:
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: PR/32805 CVS commit: xsrc/xfree/xc/programs/xdm/config
Date: Sun, 12 Feb 2006 18:47:41 +0000 (UTC)
Module Name: xsrc
Committed By: christos
Date: Sun Feb 12 18:47:41 UTC 2006
Modified Files:
xsrc/xfree/xc/programs/xdm/config: Xsession
Log Message:
PR/32805: Steven M. Bellovin: There's a /tmp file creation race condition in
Xsession; use mktemp as suggested in the PR.
To generate a diff of this commit:
cvs rdiff -r1.3 -r1.4 xsrc/xfree/xc/programs/xdm/config/Xsession
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@netbsd.org
Cc: christos@netbsd.org
Subject: Re: PR/32805 CVS commit: xsrc/xfree/xc/programs/xdm/config
Date: Mon, 13 Feb 2006 09:48:19 -0800 (PST)
On Sun, 12 Feb 2006, Christos Zoulas wrote:
> PR/32805: Steven M. Bellovin: There's a /tmp file creation race condition in
> Xsession; use mktemp as suggested in the PR.
I am curious: why use the ".XXXXXX" template and then mv into place? (Why
not just mktemp "$errfile"?)
Jeremy C. Reed
technical support & remote administration
http://www.pugetsoundtechnology.com/
From: christos@zoulas.com (Christos Zoulas)
To: "Jeremy C. Reed" <reed@reedmedia.net>, gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/32805 CVS commit: xsrc/xfree/xc/programs/xdm/config
Date: Mon, 13 Feb 2006 12:58:54 -0500
On Feb 13, 9:48am, reed@reedmedia.net ("Jeremy C. Reed") wrote:
-- Subject: Re: PR/32805 CVS commit: xsrc/xfree/xc/programs/xdm/config
| On Sun, 12 Feb 2006, Christos Zoulas wrote:
|
| > PR/32805: Steven M. Bellovin: There's a /tmp file creation race condition in
| > Xsession; use mktemp as suggested in the PR.
|
| I am curious: why use the ".XXXXXX" template and then mv into place? (Why
| not just mktemp "$errfile"?)
I don't want just to open the "known" filename with exclusive
permissions. I want to get a new file, point the error stream to
that, and then if possible move it to the "known" filename. I am
trying to avoid the overwrite a random file through symlink attack;
the mv will overwrite the symlink with my newly created file if
successful.
christos
State-Changed-From-To: open->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Tue, 01 Jun 2010 02:57:41 +0000
State-Changed-Why:
this was fixed ages ago; and the fix remains in modern xorg tree.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.