thr3ads.net - Secure testing team - [Secure-testing-team] Bug#655496: Insecure temporary file creation in /tmp [Jan 2012]

If this information is useful, please help other people find it:
Share via:

Jim Paris

2012-Jan-11 17:37 UTC

[Secure-testing-team] Bug#655496: Insecure temporary file creation in /tmp

Package: as31
Version: 2.3.1-4
Severity: important
Tags: security

as31 creates a temporary file during assembly.  It uses the UID and
random() in the filename, but the random number generator is never
seeded, and so the filename is predictably the same every time,
introducing a security hole:

  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC,
0666) = 3
  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC,
0666) = 3
  $ strace -e open as31 examples/paulmon1.asm 2>&1 | grep /tmp | head -1
  open("/tmp/as31-1000-1804289383.asm", O_WRONLY|O_CREAT|O_TRUNC,
0666) = 3

The attached patch changes it to use mkstemps instead, giving:

  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp |
head -1
  open("/tmp/as31-zadWSD.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp |
head -1
  open("/tmp/as31-jkeFed.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
  $ strace -e open as31/as31 examples/paulmon1.asm 2>&1 | grep /tmp |
head -1
  open("/tmp/as31-PzQu9r.asm", O_RDWR|O_CREAT|O_EXCL, 0600) = 3

-jim

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (200, ''stable''), (150,
''oldstable''), (80, ''testing''), (50,
''unstable''), (1, ''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages as31 depends on:
ii  libc6  2.11.2-10

as31 recommends no packages.

as31 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: as31-mkstemps.patch
Type: text/x-c
Size: 842 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120111/c2cf6e92/attachment.bin>

Secure testing team - Jan 2012 - Bug#655496: Insecure temporary file creation in /tmp

[Secure-testing-team] Bug#655496: Insecure temporary file creation in /tmp