NetBSD Problem Report #45558

From dholland@netbsd.org  Wed Nov  2 15:30:11 2011
Return-Path: <dholland@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 12F2A63B954
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  2 Nov 2011 15:30:11 +0000 (UTC)
Message-Id: <20111102153010.C939F14A3EC@mail.netbsd.org>
Date: Wed,  2 Nov 2011 15:30:10 +0000 (UTC)
From: dholland@NetBSD.org
Reply-To: dholland@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: lang/caml-light insecure-temporary-files (CVE-2011-4119)
X-Send-Pr-Version: 3.95

>Number:         45558
>Category:       pkg
>Synopsis:       lang/caml-light insecure-temporary-files (CVE-2011-4119)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 02 15:35:00 +0000 2011
>Closed-Date:    Sun Nov 06 20:59:46 +0000 2011
>Last-Modified:  Tue Nov 08 22:00:04 +0000 2011
>Originator:     David A. Holland
>Release:        pkgsrc current (20111102)
>Organization:
>Environment:
n/a
>Description:

caml-light uses mktemp() insecurely.

This issue has been assigned CVE-2011-4119 for reference. It also
turns out to affect Moscow ML. (Credit to Florian Weimer for noticing
this.)

>How-To-Repeat:

code auditing

>Fix:

--- yacc/main.c~	1995-06-07 09:34:32.000000000 -0400
+++ yacc/main.c	2008-09-04 22:15:26.000000000 -0400
@@ -1,4 +1,5 @@
 #include <signal.h>
+#include <stdlib.h> /* for mkstemp(), getenv() */
 #include "defs.h"

 char dflag;
@@ -31,6 +32,11 @@ char *text_file_name;
 char *union_file_name;
 char *verbose_file_name;

+static int action_fd = -1;
+static int entry_fd = -1;
+static int text_fd = -1;
+static int union_fd = -1;
+
 FILE *action_file;	/*  a temp file, used to save actions associated    */
 			/*  with rules until the parser is written	    */
 FILE *entry_file;
@@ -69,9 +75,6 @@ char  *rassoc;
 short **derives;
 char *nullable;

-extern char *mktemp();
-extern char *getenv();
-

 done(k)
 int k;
@@ -276,12 +279,21 @@ create_file_names()
     union_file_name[len + 5] = 'u';

 #ifndef NO_UNIX
-    mktemp(action_file_name);
-    mktemp(entry_file_name);
-    mktemp(text_file_name);
-    mktemp(union_file_name);
+    action_fd = mkstemp(action_file_name);
+    entry_fd = mkstemp(entry_file_name);
+    text_fd = mkstemp(text_file_name);
+    union_fd = mkstemp(union_file_name);
 #endif

+    if (action_fd < 0)
+	open_error(action_file_name);
+    if (entry_fd < 0)
+	open_error(entry_file_name);
+    if (text_fd < 0)
+	open_error(text_file_name);
+    if (union_fd < 0)
+	open_error(union_file_name);
+
     len = strlen(file_prefix);

     output_file_name = MALLOC(len + 7);
@@ -321,15 +333,15 @@ open_files()
 	    open_error(input_file_name);
     }

-    action_file = fopen(action_file_name, "w");
+    action_file = fdopen(action_fd, "w");
     if (action_file == 0)
 	open_error(action_file_name);

-    entry_file = fopen(entry_file_name, "w");
+    entry_file = fdopen(entry_fd, "w");
     if (entry_file == 0)
 	open_error(entry_file_name);

-    text_file = fopen(text_file_name, "w");
+    text_file = fdopen(text_fd, "w");
     if (text_file == 0)
 	open_error(text_file_name);

@@ -345,7 +357,7 @@ open_files()
 	defines_file = fopen(defines_file_name, "w");
 	if (defines_file == 0)
 	    open_error(defines_file_name);
-	union_file = fopen(union_file_name, "w");
+	union_file = fdopen(union_fd, "w");
 	if (union_file ==  0)
 	    open_error(union_file_name);
     }

>Release-Note:

>Audit-Trail:

From: David Holland <dholland@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/45558: lang/caml-light insecure-temporary-files
Date: Sun, 6 Nov 2011 19:29:05 +0000

  > caml-light uses mktemp() insecurely.

 Also, note that you need something like pkgsrc patch-an (appended here
 for reference) to avoid other /tmp follies at build time.

 --- launch/Makefile~	1995-02-22 04:33:26.000000000 -0500
 +++ launch/Makefile	2008-09-04 21:32:35.000000000 -0400
 @@ -10,19 +10,20 @@ all: camlc camllight camlmktop camlexec 
  # Also, "make install" is done with root permissions, meaning that we don't
  # have write permission in the current directory if NFS-mounted...

 +#	(echo "#!$(BINDIR)/camlrun"; \
 +#	 echo "exit 2"; \
 +#	 cat testprog) > /tmp/testscr
 +#	chmod a+x /tmp/testscr
 +#	sh -c 'if sh -c /tmp/testscr 2>/dev/null; \
 +#               then echo "#!$(BINDIR)/camlrun" > $(LIBDIR)/header; \
 +#               else cp camlexec $(LIBDIR)/header; \
 +#               fi'
 +#	rm -f /tmp/testscr
  install:
 -	(echo "#!$(BINDIR)/camlrun"; \
 -	 echo "exit 2"; \
 -	 cat testprog) > /tmp/testscr
 -	chmod a+x /tmp/testscr
 -	sh -c 'if sh -c /tmp/testscr 2>/dev/null; \
 -               then echo "#!$(BINDIR)/camlrun" > $(LIBDIR)/header; \
 -               else cp camlexec $(LIBDIR)/header; \
 -               fi'
 -	rm -f /tmp/testscr
 +	echo "#!$(BINDIR)/camlrun" > $(DESTDIR)$(LIBDIR)/header
  	for script in camlc camllight camlmktop; do \
 -	  cp $$script $(BINDIR)/$$script; \
 -	  chmod a+x $(BINDIR)/$$script; \
 +	  cp $$script $(DESTDIR)$(BINDIR)/$$script; \
 +	  chmod a+x $(DESTDIR)$(BINDIR)/$$script; \
  	done

  SEDCOMMANDS=\

 -- 
 David A. Holland
 dholland@netbsd.org

From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/45558 CVS commit: pkgsrc/lang/caml-light
Date: Sun, 6 Nov 2011 19:32:07 +0000

 Module Name:	pkgsrc
 Committed By:	dholland
 Date:		Sun Nov  6 19:32:07 UTC 2011

 Modified Files:
 	pkgsrc/lang/caml-light: Makefile distinfo
 Added Files:
 	pkgsrc/lang/caml-light/patches: patch-yacc_main_c

 Log Message:
 Fix insecure-temp-files, PR 45558


 To generate a diff of this commit:
 cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/caml-light/Makefile
 cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/caml-light/distinfo
 cvs rdiff -u -r0 -r1.1 pkgsrc/lang/caml-light/patches/patch-yacc_main_c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->pending-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 06 Nov 2011 19:36:04 +0000
State-Changed-Why:
pullup-pkgsrc #3592


From: "S.P.Zeidler" <spz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/45558 CVS commit: [pkgsrc-2011Q3] pkgsrc/lang/caml-light
Date: Sun, 6 Nov 2011 20:31:01 +0000

 Module Name:	pkgsrc
 Committed By:	spz
 Date:		Sun Nov  6 20:31:01 UTC 2011

 Modified Files:
 	pkgsrc/lang/caml-light [pkgsrc-2011Q3]: Makefile distinfo
 Added Files:
 	pkgsrc/lang/caml-light/patches [pkgsrc-2011Q3]: patch-yacc_main_c

 Log Message:
 Pullup ticket #3592 - requested by dholland
 lang/caml-light: security patch

 Revisions pulled up:
 - lang/caml-light/Makefile                                      1.13
 - lang/caml-light/distinfo                                      1.9
 - lang/caml-light/patches/patch-yacc_main_c                     1.1

 -------------------------------------------------------------------
    Module Name:	pkgsrc
    Committed By:	dholland
    Date:		Sun Nov  6 19:32:07 UTC 2011

    Modified Files:
    	pkgsrc/lang/caml-light: Makefile distinfo
    Added Files:
    	pkgsrc/lang/caml-light/patches: patch-yacc_main_c

    Log Message:
    Fix insecure-temp-files, PR 45558

    To generate a diff of this commit:
    cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/caml-light/Makefile
    cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/caml-light/distinfo
    cvs rdiff -u -r0 -r1.1 pkgsrc/lang/caml-light/patches/patch-yacc_main_c


 To generate a diff of this commit:
 cvs rdiff -u -r1.11 -r1.11.20.1 pkgsrc/lang/caml-light/Makefile
 cvs rdiff -u -r1.6 -r1.6.28.1 pkgsrc/lang/caml-light/distinfo
 cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/lang/caml-light/patches/patch-yacc_main_c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 06 Nov 2011 20:59:46 +0000
State-Changed-Why:
fixed and pulled up to 2011Q3.


From: David Holland <dholland@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/45558: lang/caml-light insecure-temporary-files
 (CVE-2011-4119)
Date: Tue, 8 Nov 2011 12:37:07 +0000

 Patch for Moscow ML (which also needs a makefile patch similar to the
 one described for caml-light; this is in patch-ba in pkgsrc)

 --- src/mosmlyac/main.c.orig	2000-04-28 09:38:45.000000000 +0000
 +++ src/mosmlyac/main.c
 @@ -1,6 +1,9 @@
  #include <signal.h>
  #ifdef ANSI
  #include <string.h>
 +#include <stdlib.h>
 +#else
 +extern char *getenv();
  #endif
  #include "defs.h"

 @@ -33,6 +36,11 @@ char *text_file_name;
  char *union_file_name;
  char *verbose_file_name;

 +static int action_fd = -1;
 +static int entry_fd = -1;
 +static int text_fd = -1;
 +static int union_fd = -1;
 +
  FILE *action_file;	/*  a temp file, used to save actions associated    */
  			/*  with rules until the parser is written	    */
  FILE *entry_file;
 @@ -71,9 +79,6 @@ char  *rassoc;
  short **derives;
  char *nullable;

 -extern char *mktemp();
 -extern char *getenv();
 -

  void done(int k)
  {
 @@ -276,12 +281,21 @@ void create_file_names(void)
      union_file_name[len + 5] = 'u';

  #ifndef NO_UNIX
 -    mktemp(action_file_name);
 -    mktemp(entry_file_name);
 -    mktemp(text_file_name);
 -    mktemp(union_file_name);
 +    action_fd = mkstemp(action_file_name);
 +    entry_fd = mkstemp(entry_file_name);
 +    text_fd = mkstemp(text_file_name);
 +    union_fd = mkstemp(union_file_name);
  #endif

 +    if (action_fd < 0)
 +	open_error(action_file_name);
 +    if (entry_fd < 0)
 +	open_error(entry_file_name);
 +    if (text_fd < 0)
 +	open_error(text_file_name);
 +    if (union_fd < 0)
 +	open_error(union_file_name);
 +
      len = strlen(file_prefix);

      output_file_name = MALLOC(len + 7);
 @@ -321,15 +335,15 @@ void open_files(void)
  	    open_error(input_file_name);
      }

 -    action_file = fopen(action_file_name, "w");
 +    action_file = fdopen(action_fd, "w");
      if (action_file == 0)
  	open_error(action_file_name);

 -    entry_file = fopen(entry_file_name, "w");
 +    entry_file = fdopen(entry_fd, "w");
      if (entry_file == 0)
  	open_error(entry_file_name);

 -    text_file = fopen(text_file_name, "w");
 +    text_file = fdopen(text_fd, "w");
      if (text_file == 0)
  	open_error(text_file_name);

 @@ -345,7 +359,7 @@ void open_files(void)
  	defines_file = fopen(defines_file_name, "w");
  	if (defines_file == 0)
  	    open_error(defines_file_name);
 -	union_file = fopen(union_file_name, "w");
 +	union_file = fdopen(union_fd, "w");
  	if (union_file ==  0)
  	    open_error(union_file_name);
      }

 -- 
 David A. Holland
 dholland@netbsd.org

From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/45558 CVS commit: pkgsrc/lang/moscow_ml
Date: Tue, 8 Nov 2011 12:41:30 +0000

 Module Name:	pkgsrc
 Committed By:	dholland
 Date:		Tue Nov  8 12:41:30 UTC 2011

 Modified Files:
 	pkgsrc/lang/moscow_ml: Makefile distinfo
 Added Files:
 	pkgsrc/lang/moscow_ml/patches: patch-mosmlyac_main_c

 Log Message:
 Fix PR 45558 (aka CVE-2011-4119) which also turns out to affect Moscow ML.
 Credit to Florian Weimer for noticing this.


 To generate a diff of this commit:
 cvs rdiff -u -r1.28 -r1.29 pkgsrc/lang/moscow_ml/Makefile
 cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/moscow_ml/distinfo
 cvs rdiff -u -r0 -r1.1 pkgsrc/lang/moscow_ml/patches/patch-mosmlyac_main_c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Matthias Scheler" <tron@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/45558 CVS commit: [pkgsrc-2011Q3] pkgsrc/lang/moscow_ml
Date: Tue, 8 Nov 2011 21:58:08 +0000

 Module Name:	pkgsrc
 Committed By:	tron
 Date:		Tue Nov  8 21:58:07 UTC 2011

 Modified Files:
 	pkgsrc/lang/moscow_ml [pkgsrc-2011Q3]: Makefile distinfo
 Added Files:
 	pkgsrc/lang/moscow_ml/patches [pkgsrc-2011Q3]: patch-mosmlyac_main_c

 Log Message:
 Pullup ticket #3594 - requested by dholland
 lang/moscow_ml: security patch

 Revisions pulled up:
 - lang/moscow_ml/Makefile                                       1.29
 - lang/moscow_ml/distinfo                                       1.6
 - lang/moscow_ml/patches/patch-mosmlyac_main_c                  1.1

 ---
    Module Name:	pkgsrc
    Committed By:	dholland
    Date:		Tue Nov  8 12:41:30 UTC 2011

    Modified Files:
    	pkgsrc/lang/moscow_ml: Makefile distinfo
    Added Files:
    	pkgsrc/lang/moscow_ml/patches: patch-mosmlyac_main_c

    Log Message:
    Fix PR 45558 (aka CVE-2011-4119) which also turns out to affect Moscow ML.
    Credit to Florian Weimer for noticing this.


 To generate a diff of this commit:
 cvs rdiff -u -r1.28 -r1.28.32.1 pkgsrc/lang/moscow_ml/Makefile
 cvs rdiff -u -r1.5 -r1.5.32.1 pkgsrc/lang/moscow_ml/distinfo
 cvs rdiff -u -r0 -r1.1.2.2 \
     pkgsrc/lang/moscow_ml/patches/patch-mosmlyac_main_c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.