Ben Woodard <ben@...> writes:
> I see why this is. The bug is due to a half undone change.
>
> At some time in the past someone tried to remove all the mktemp
> references in lpd. When the did it they messed some things up. I
> backed out their change and in this one spot I only got half of it.
Well this might have been me (but I didn't think I'd changed the
template), I sent a change that did...
+static char *safe_mktemp(char *filename)
+{ /* this is a safe version of mktemp() */
+ int fd = -1;
+
+ if ((fd = mkstemp(filename)) == -1)
+ {
+ /* fatal("mkstemp: %s", strerror(errno)); */
+ return (NULL);
+ }
+ /* glibc-2.0.x creates the files with 0666, Duh! */
+ if (fchmod(fd, 0600) == -1)
+ {
+ /* fatal("fchmod: %s", strerror(errno)); */
+ close(fd);
+ return (NULL);
+ }
+
+ close(lfd);
+
+ return (filename);
+}
...in printjob.c the lfd needs to be just fd above, but apart from
that it should work like a safe version of mktemp() (completely
untested though as before). However note that if you move the template
from being in / to any globally writable dir (like /tmp) then the
current code is exploitable.
--
James Antill -- james@...
|