NetBSD Problem Report #45558
From dholland@netbsd.org Wed Nov 2 15:30:11 2011
Return-Path: <dholland@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 12F2A63B954
for <gnats-bugs@gnats.NetBSD.org>; Wed, 2 Nov 2011 15:30:11 +0000 (UTC)
Message-Id: <20111102153010.C939F14A3EC@mail.netbsd.org>
Date: Wed, 2 Nov 2011 15:30:10 +0000 (UTC)
From: dholland@NetBSD.org
Reply-To: dholland@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: lang/caml-light insecure-temporary-files (CVE-2011-4119)
X-Send-Pr-Version: 3.95
>Number: 45558
>Category: pkg
>Synopsis: lang/caml-light insecure-temporary-files (CVE-2011-4119)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Nov 02 15:35:00 +0000 2011
>Closed-Date: Sun Nov 06 20:59:46 +0000 2011
>Last-Modified: Tue Nov 08 22:00:04 +0000 2011
>Originator: David A. Holland
>Release: pkgsrc current (20111102)
>Organization:
>Environment:
n/a
>Description:
caml-light uses mktemp() insecurely.
This issue has been assigned CVE-2011-4119 for reference. It also
turns out to affect Moscow ML. (Credit to Florian Weimer for noticing
this.)
>How-To-Repeat:
code auditing
>Fix:
--- yacc/main.c~ 1995-06-07 09:34:32.000000000 -0400
+++ yacc/main.c 2008-09-04 22:15:26.000000000 -0400
@@ -1,4 +1,5 @@
#include <signal.h>
+#include <stdlib.h> /* for mkstemp(), getenv() */
#include "defs.h"
char dflag;
@@ -31,6 +32,11 @@ char *text_file_name;
char *union_file_name;
char *verbose_file_name;
+static int action_fd = -1;
+static int entry_fd = -1;
+static int text_fd = -1;
+static int union_fd = -1;
+
FILE *action_file; /* a temp file, used to save actions associated */
/* with rules until the parser is written */
FILE *entry_file;
@@ -69,9 +75,6 @@ char *rassoc;
short **derives;
char *nullable;
-extern char *mktemp();
-extern char *getenv();
-
done(k)
int k;
@@ -276,12 +279,21 @@ create_file_names()
union_file_name[len + 5] = 'u';
#ifndef NO_UNIX
- mktemp(action_file_name);
- mktemp(entry_file_name);
- mktemp(text_file_name);
- mktemp(union_file_name);
+ action_fd = mkstemp(action_file_name);
+ entry_fd = mkstemp(entry_file_name);
+ text_fd = mkstemp(text_file_name);
+ union_fd = mkstemp(union_file_name);
#endif
+ if (action_fd < 0)
+ open_error(action_file_name);
+ if (entry_fd < 0)
+ open_error(entry_file_name);
+ if (text_fd < 0)
+ open_error(text_file_name);
+ if (union_fd < 0)
+ open_error(union_file_name);
+
len = strlen(file_prefix);
output_file_name = MALLOC(len + 7);
@@ -321,15 +333,15 @@ open_files()
open_error(input_file_name);
}
- action_file = fopen(action_file_name, "w");
+ action_file = fdopen(action_fd, "w");
if (action_file == 0)
open_error(action_file_name);
- entry_file = fopen(entry_file_name, "w");
+ entry_file = fdopen(entry_fd, "w");
if (entry_file == 0)
open_error(entry_file_name);
- text_file = fopen(text_file_name, "w");
+ text_file = fdopen(text_fd, "w");
if (text_file == 0)
open_error(text_file_name);
@@ -345,7 +357,7 @@ open_files()
defines_file = fopen(defines_file_name, "w");
if (defines_file == 0)
open_error(defines_file_name);
- union_file = fopen(union_file_name, "w");
+ union_file = fdopen(union_fd, "w");
if (union_file == 0)
open_error(union_file_name);
}
>Release-Note:
>Audit-Trail:
From: David Holland <dholland@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/45558: lang/caml-light insecure-temporary-files
Date: Sun, 6 Nov 2011 19:29:05 +0000
> caml-light uses mktemp() insecurely.
Also, note that you need something like pkgsrc patch-an (appended here
for reference) to avoid other /tmp follies at build time.
--- launch/Makefile~ 1995-02-22 04:33:26.000000000 -0500
+++ launch/Makefile 2008-09-04 21:32:35.000000000 -0400
@@ -10,19 +10,20 @@ all: camlc camllight camlmktop camlexec
# Also, "make install" is done with root permissions, meaning that we don't
# have write permission in the current directory if NFS-mounted...
+# (echo "#!$(BINDIR)/camlrun"; \
+# echo "exit 2"; \
+# cat testprog) > /tmp/testscr
+# chmod a+x /tmp/testscr
+# sh -c 'if sh -c /tmp/testscr 2>/dev/null; \
+# then echo "#!$(BINDIR)/camlrun" > $(LIBDIR)/header; \
+# else cp camlexec $(LIBDIR)/header; \
+# fi'
+# rm -f /tmp/testscr
install:
- (echo "#!$(BINDIR)/camlrun"; \
- echo "exit 2"; \
- cat testprog) > /tmp/testscr
- chmod a+x /tmp/testscr
- sh -c 'if sh -c /tmp/testscr 2>/dev/null; \
- then echo "#!$(BINDIR)/camlrun" > $(LIBDIR)/header; \
- else cp camlexec $(LIBDIR)/header; \
- fi'
- rm -f /tmp/testscr
+ echo "#!$(BINDIR)/camlrun" > $(DESTDIR)$(LIBDIR)/header
for script in camlc camllight camlmktop; do \
- cp $$script $(BINDIR)/$$script; \
- chmod a+x $(BINDIR)/$$script; \
+ cp $$script $(DESTDIR)$(BINDIR)/$$script; \
+ chmod a+x $(DESTDIR)$(BINDIR)/$$script; \
done
SEDCOMMANDS=\
--
David A. Holland
dholland@netbsd.org
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45558 CVS commit: pkgsrc/lang/caml-light
Date: Sun, 6 Nov 2011 19:32:07 +0000
Module Name: pkgsrc
Committed By: dholland
Date: Sun Nov 6 19:32:07 UTC 2011
Modified Files:
pkgsrc/lang/caml-light: Makefile distinfo
Added Files:
pkgsrc/lang/caml-light/patches: patch-yacc_main_c
Log Message:
Fix insecure-temp-files, PR 45558
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/caml-light/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/caml-light/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/lang/caml-light/patches/patch-yacc_main_c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->pending-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 06 Nov 2011 19:36:04 +0000
State-Changed-Why:
pullup-pkgsrc #3592
From: "S.P.Zeidler" <spz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45558 CVS commit: [pkgsrc-2011Q3] pkgsrc/lang/caml-light
Date: Sun, 6 Nov 2011 20:31:01 +0000
Module Name: pkgsrc
Committed By: spz
Date: Sun Nov 6 20:31:01 UTC 2011
Modified Files:
pkgsrc/lang/caml-light [pkgsrc-2011Q3]: Makefile distinfo
Added Files:
pkgsrc/lang/caml-light/patches [pkgsrc-2011Q3]: patch-yacc_main_c
Log Message:
Pullup ticket #3592 - requested by dholland
lang/caml-light: security patch
Revisions pulled up:
- lang/caml-light/Makefile 1.13
- lang/caml-light/distinfo 1.9
- lang/caml-light/patches/patch-yacc_main_c 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: dholland
Date: Sun Nov 6 19:32:07 UTC 2011
Modified Files:
pkgsrc/lang/caml-light: Makefile distinfo
Added Files:
pkgsrc/lang/caml-light/patches: patch-yacc_main_c
Log Message:
Fix insecure-temp-files, PR 45558
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/caml-light/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/caml-light/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/lang/caml-light/patches/patch-yacc_main_c
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.20.1 pkgsrc/lang/caml-light/Makefile
cvs rdiff -u -r1.6 -r1.6.28.1 pkgsrc/lang/caml-light/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/lang/caml-light/patches/patch-yacc_main_c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 06 Nov 2011 20:59:46 +0000
State-Changed-Why:
fixed and pulled up to 2011Q3.
From: David Holland <dholland@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/45558: lang/caml-light insecure-temporary-files
(CVE-2011-4119)
Date: Tue, 8 Nov 2011 12:37:07 +0000
Patch for Moscow ML (which also needs a makefile patch similar to the
one described for caml-light; this is in patch-ba in pkgsrc)
--- src/mosmlyac/main.c.orig 2000-04-28 09:38:45.000000000 +0000
+++ src/mosmlyac/main.c
@@ -1,6 +1,9 @@
#include <signal.h>
#ifdef ANSI
#include <string.h>
+#include <stdlib.h>
+#else
+extern char *getenv();
#endif
#include "defs.h"
@@ -33,6 +36,11 @@ char *text_file_name;
char *union_file_name;
char *verbose_file_name;
+static int action_fd = -1;
+static int entry_fd = -1;
+static int text_fd = -1;
+static int union_fd = -1;
+
FILE *action_file; /* a temp file, used to save actions associated */
/* with rules until the parser is written */
FILE *entry_file;
@@ -71,9 +79,6 @@ char *rassoc;
short **derives;
char *nullable;
-extern char *mktemp();
-extern char *getenv();
-
void done(int k)
{
@@ -276,12 +281,21 @@ void create_file_names(void)
union_file_name[len + 5] = 'u';
#ifndef NO_UNIX
- mktemp(action_file_name);
- mktemp(entry_file_name);
- mktemp(text_file_name);
- mktemp(union_file_name);
+ action_fd = mkstemp(action_file_name);
+ entry_fd = mkstemp(entry_file_name);
+ text_fd = mkstemp(text_file_name);
+ union_fd = mkstemp(union_file_name);
#endif
+ if (action_fd < 0)
+ open_error(action_file_name);
+ if (entry_fd < 0)
+ open_error(entry_file_name);
+ if (text_fd < 0)
+ open_error(text_file_name);
+ if (union_fd < 0)
+ open_error(union_file_name);
+
len = strlen(file_prefix);
output_file_name = MALLOC(len + 7);
@@ -321,15 +335,15 @@ void open_files(void)
open_error(input_file_name);
}
- action_file = fopen(action_file_name, "w");
+ action_file = fdopen(action_fd, "w");
if (action_file == 0)
open_error(action_file_name);
- entry_file = fopen(entry_file_name, "w");
+ entry_file = fdopen(entry_fd, "w");
if (entry_file == 0)
open_error(entry_file_name);
- text_file = fopen(text_file_name, "w");
+ text_file = fdopen(text_fd, "w");
if (text_file == 0)
open_error(text_file_name);
@@ -345,7 +359,7 @@ void open_files(void)
defines_file = fopen(defines_file_name, "w");
if (defines_file == 0)
open_error(defines_file_name);
- union_file = fopen(union_file_name, "w");
+ union_file = fdopen(union_fd, "w");
if (union_file == 0)
open_error(union_file_name);
}
--
David A. Holland
dholland@netbsd.org
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45558 CVS commit: pkgsrc/lang/moscow_ml
Date: Tue, 8 Nov 2011 12:41:30 +0000
Module Name: pkgsrc
Committed By: dholland
Date: Tue Nov 8 12:41:30 UTC 2011
Modified Files:
pkgsrc/lang/moscow_ml: Makefile distinfo
Added Files:
pkgsrc/lang/moscow_ml/patches: patch-mosmlyac_main_c
Log Message:
Fix PR 45558 (aka CVE-2011-4119) which also turns out to affect Moscow ML.
Credit to Florian Weimer for noticing this.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 pkgsrc/lang/moscow_ml/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/moscow_ml/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/lang/moscow_ml/patches/patch-mosmlyac_main_c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Matthias Scheler" <tron@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45558 CVS commit: [pkgsrc-2011Q3] pkgsrc/lang/moscow_ml
Date: Tue, 8 Nov 2011 21:58:08 +0000
Module Name: pkgsrc
Committed By: tron
Date: Tue Nov 8 21:58:07 UTC 2011
Modified Files:
pkgsrc/lang/moscow_ml [pkgsrc-2011Q3]: Makefile distinfo
Added Files:
pkgsrc/lang/moscow_ml/patches [pkgsrc-2011Q3]: patch-mosmlyac_main_c
Log Message:
Pullup ticket #3594 - requested by dholland
lang/moscow_ml: security patch
Revisions pulled up:
- lang/moscow_ml/Makefile 1.29
- lang/moscow_ml/distinfo 1.6
- lang/moscow_ml/patches/patch-mosmlyac_main_c 1.1
---
Module Name: pkgsrc
Committed By: dholland
Date: Tue Nov 8 12:41:30 UTC 2011
Modified Files:
pkgsrc/lang/moscow_ml: Makefile distinfo
Added Files:
pkgsrc/lang/moscow_ml/patches: patch-mosmlyac_main_c
Log Message:
Fix PR 45558 (aka CVE-2011-4119) which also turns out to affect Moscow ML.
Credit to Florian Weimer for noticing this.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.32.1 pkgsrc/lang/moscow_ml/Makefile
cvs rdiff -u -r1.5 -r1.5.32.1 pkgsrc/lang/moscow_ml/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
pkgsrc/lang/moscow_ml/patches/patch-mosmlyac_main_c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.