#8 Insecure use of tmpnam(3)

closed-fixed
Emil Brink
None
5
2009-03-08
2009-01-26
OBATA Akio
No

In src/types.c, typ_identify_end() is using tmpnam(3), but it is insecure.
Because if a attacker put a file or symbolic link same name as temp_name before gentoo create it with open(2),
* attacker can get file names from temp file, even if users may want to be hidden.
* attacker can insert fake output of file command, a file may treated as unwanted file type by gentoo
* if symbolic link, the refered file may be broke by output of file command.
and so on.

At least, open(2) should be called with O_EXCL to detect attacker's file.
Or use mkstemp(3) instead to create temp file atomically.

Discussion

  • Emil Brink
    Emil Brink
    2009-03-08

    • status: open --> open-fixed
     
  • Emil Brink
    Emil Brink
    2009-03-08

    For gentoo 0.15.2, I've totally rewritten the function that did this call. It no longer uses tmpnam(), in fact it no longer creates a temporary file at all. Now it's all done through pipes, so it should be both more secure and faster (since it doesn't touch disk). Marked as 'Fixed'.

     
  • Emil Brink
    Emil Brink
    2009-03-08

    Forgot to actually assign and close it. :)

     
  • Emil Brink
    Emil Brink
    2009-03-08

    • assigned_to: nobody --> emilbrink
    • status: open-fixed --> closed-fixed