Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 1 Apr 2009 13:05:53 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: CVE id rquest: xfig insecure tmp files

Hi,
it has come to our intention that the Debian package of xfig 
fixes some insecure temporary file creations in various 
places in xfig. I attached the patch.

Can I get a CVE id for this?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

#! /bin/sh /usr/share/dpatch/dpatch-run
## 25_mkstemp.dpatch by Hans de Goede <j.w.r.degoede@....nl>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Temp file vulnerability Security fix!

@DPATCH@
diff -urNad xfig~/f_readeps.c xfig/f_readeps.c
--- xfig~/f_readeps.c
+++ xfig/f_readeps.c
@@ -250,11 +250,10 @@
     int         urx, llx, ury, lly;
     int         pdf_flag;
 {
-    static	tempseq = 0;
     char        buf[300];
     FILE       *tmpfp, *pixfile, *gsfile;
     char       *psnam, *driver;
-    int         status, wid, ht, nbitmap;
+    int         status, wid, ht, nbitmap, fd;
     char        tmpfile[PATH_MAX],
 		pixnam[PATH_MAX],
 		errnam[PATH_MAX],
@@ -270,8 +269,12 @@
 	/* re-open the pipe */
 	close_picfile(file, filetype);
 	file = open_picfile(tmpfile, &filetype, PIPEOK, pixnam);
-	sprintf(tmpfile, "%s/%s%06d", TMPDIR, "xfig-eps", getpid());
-	if ((tmpfp = fopen(tmpfile, "wb")) == NULL) {
+   snprintf(tmpfile, sizeof(tmpfile), "%s/xfig-eps.XXXXXX", TMPDIR);
+   if ((fd = mkstemp(tmpfile)) == -1 || (tmpfp = fdopen(fd, "wb")) == NULL) {
+       if (fd != -1) {
+         unlink(tmpfile);
+         close(fd);
+       }
 	    file_msg("Couldn't open tmp file %s, %s", tmpfile, strerror(errno));
 	    return False;
 	}
@@ -280,10 +283,20 @@
 	fclose(tmpfp);
     }
     /* make name /TMPDIR/xfig-pic######.pix */
-    sprintf(pixnam, "%s/%s%06d.pix", TMPDIR, "xfig-pic", tempseq);
+    snprintf(pixnam, sizeof(pixnam), "%s/xfig-pic.XXXXXX", TMPDIR);
+    if ((fd = mkstemp(pixnam)) == -1) {
+        file_msg("Couldn't open tmp file %s, %s", pixnam, strerror(errno));
+        return False;
+    }
+    close(fd);
+
     /* and file name for any error messages from gs */
-    sprintf(errnam, "%s/%s%06d.err", TMPDIR, "xfig-pic", tempseq);
-    tempseq++;
+    snprintf(errnam, sizeof(errnam), "%s/xfig-picerr.XXXXXX", TMPDIR);
+    if ((fd = mkstemp(errnam)) == -1) {
+       file_msg("Couldn't open tmp file %s, %s", errnam, strerror(errno));
+       return False;
+    }
+    close(fd);
 
     /* generate gs command line */
     /* for monochrome, use pbm */
diff -urNad xfig~/f_readgif.c xfig/f_readgif.c
--- xfig~/f_readgif.c
+++ xfig/f_readgif.c
@@ -76,7 +76,7 @@
 	char		buf[BUFLEN],pcxname[PATH_MAX];
 	FILE		*giftopcx;
 	struct Cmap 	localColorMap[MAX_COLORMAP_SIZE];
-	int		i, stat, size;
+	int		i, stat, size, fd;
 	int		useGlobalColormap;
 	unsigned int	bitPixel, red, green, blue;
 	unsigned char	c;
@@ -173,7 +173,13 @@
 	/* now call giftopnm and ppmtopcx */
 
 	/* make name for temp output file */
-	sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid());
+	snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR);
+	if ((fd = mkstemp(pcxname)) == -1) {
+		file_msg("Cannot create temporary file\n");
+		return FileInvalid;
+	}
+	close(fd);
+
 	/* make command to convert gif to pcx into temp file */
 	sprintf(buf, "giftopnm -quiet | ppmtopcx -quiet > %s", pcxname);
 	if ((giftopcx = popen(buf,"w" )) == 0) {
diff -urNad xfig~/f_readppm.c xfig/f_readppm.c
--- xfig~/f_readppm.c
+++ xfig/f_readppm.c
@@ -34,10 +34,16 @@
 {
 	char	 buf[BUFLEN],pcxname[PATH_MAX];
 	FILE	*giftopcx;
-	int	 stat, size;
+	int	 stat, size, fd;
 
 	/* make name for temp output file */
-	sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid());
+	snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR);
+	if ((fd = mkstemp(pcxname)) == -1) {
+	    file_msg("Cannot open temp file %s: %s\n", pcxname, strerror(errno));
+	    return FileInvalid;
+	}
+	close(fd);
+
 	/* make command to convert gif to pcx into temp file */
 	sprintf(buf, "ppmtopcx > %s 2> /dev/null", pcxname);
 	if ((giftopcx = popen(buf,"w" )) == 0) {
diff -urNad xfig~/f_readtif.c xfig/f_readtif.c
--- xfig~/f_readtif.c
+++ xfig/f_readtif.c
@@ -33,11 +33,16 @@
 {
 	char	 buf[2*PATH_MAX+40],pcxname[PATH_MAX];
 	FILE	*tiftopcx;
-	int	 stat;
+	int	 stat, fd;
 
 	/* make name for temp output file */
-	sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid());
-
+	snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR);
+	if ((fd = mkstemp(pcxname)) == -1) {
+	    file_msg("Cannot open temp file %s: %s\n", pcxname, strerror(errno));
+		return FileInvalid;
+	}
+	close(fd);
+	
 	/* make command to convert tif to pnm then to pcx into temp file */
 	/* for some reason, tifftopnm requires a file and can't work in a pipe */
 	sprintf(buf, "tifftopnm %s 2> /dev/null | ppmtopcx > %s 2> /dev/null",
diff -urNad xfig~/f_util.c xfig/f_util.c
--- xfig~/f_util.c
+++ xfig/f_util.c
@@ -906,14 +906,20 @@
 int strain_out(char *name)
 {
     char    line[RC_BUFSIZ+1], *tok;
+    int fd;
 
     /* make a temp filename in the user's home directory so we
        can just rename it to .xfigrc after creating it */
-    sprintf(tmpname, "%s/%s%06d", userhome, "xfig-xfigrc", getpid());
-    tmpf = fopen(tmpname,"wb");
-    if (tmpf == 0) {
-	file_msg("Can't make temporary file for .xfigrc - error: %s",strerror(errno));
-	return -1;	
+    snprintf(tmpname, sizeof(tmpname), "%s/xfig-xfigrc.XXXXXX", userhome);
+
+    if ((fd = mkstemp(tmpname)) == -1 || (tmpf = fdopen(fd, "wb")) == NULL) {
+       file_msg("Can't make temporary file for .xfigrc - error: %s",
+              strerror(errno));
+       if (fd != -1) {
+          unlink(tmpname);
+          close(fd);
+       }
+       return -1;
     }
     /* read the .xfigrc file and write all to temp file except file names */
     xfigrc = fopen(xfigrc_name,"r");
diff -urNad xfig~/main.c xfig/main.c
--- xfig~/main.c
+++ xfig/main.c
@@ -657,8 +657,10 @@
     update_figs = False;
 
     /* get the TMPDIR environment variable for temporary files */
-    if ((TMPDIR = getenv("XFIGTMPDIR"))==NULL)
-	TMPDIR = "/tmp";
+    if ((TMPDIR = getenv("XFIGTMPDIR"))==NULL) {
+		if ((TMPDIR = getenv("TMPDIR")) == NULL)
+			TMPDIR = "/tmp";
+	}
 
     /* first check args to see if user wants to scale the figure as it is
 	read in and make sure it is a resonable (positive) number */
@@ -1673,7 +1675,14 @@
     if (userhome != NULL && *strcpy(cut_buf_name, userhome) != '\0') {
 	strcat(cut_buf_name, "/.xfig");
     } else {
-	sprintf(cut_buf_name, "%s/xfig%06d", TMPDIR, getpid());
+		int fd;
+		sprintf(cut_buf_name, "%s/xfig.XXXXXX", TMPDIR);
+		if ((fd = mkstemp(cut_buf_name)) == -1) {
+			fprintf(stderr, "Can't create temporary file for cut_buff: %s\n",
+					strerror(errno));
+			exit(0);
+		}
+		close(fd);
     }
 }
 
diff -urNad xfig~/mode.c xfig/mode.c
--- xfig~/mode.c
+++ xfig/mode.c
@@ -86,7 +86,7 @@
 
 int		cur_exp_lang;		/* gets initialized in main.c */
 Boolean		batch_exists = False;
-char		batch_file[32];
+char		batch_file[PATH_MAX];
 
 /*******************************************************************/
 /* If you change the order of the lang_items[] you must change the */
diff -urNad xfig~/u_print.c xfig/u_print.c
--- xfig~/u_print.c
+++ xfig/u_print.c
@@ -92,9 +92,16 @@
     char	    syspr[2*PATH_MAX+200];
     char	    tmpfile[PATH_MAX];
     char	   *name;
+    int     fd;
 
-    sprintf(tmpfile, "%s/%s%06d", TMPDIR, "xfig-print", getpid());
+    snprintf(tmpfile, sizeof(tmpfile), "%s/xfig-print.XXXXXX", TMPDIR);
     warnexist = False;
+    if ((fd = mkstemp(tmpfile)) == -1) {
+       file_msg("Can't open temp file %s: %s\n", tmpfile, strerror(errno));
+       return;
+    }
+    close(fd);
+
     init_write_tmpfile();
     if (write_file(tmpfile, False)) {
       end_write_tmpfile();
@@ -671,10 +678,16 @@
     char   errfname[PATH_MAX];
     FILE  *errfile;
     char   str[400];
-    int	   status;
+    int	   status, fd;
 
     /* make temp filename for any errors */
-    sprintf(errfname, "%s/xfig-export%06d.err", TMPDIR, getpid());
+    snprintf(errfname, sizeof(errfname), "%s/xfig-export.XXXXXX", TMPDIR);
+    if ((fd = mkstemp(errfname)) == -1) {
+	file_msg("Can't open temp file %s: %s\n", errfname, strerror(errno));
+	return 1;
+    }
+    close(fd);
+    
     /* direct any output from fig2dev to this file */
     strcat(command, " 2> "); 
     strcat(command, errfname); 
diff -urNad xfig~/w_print.c xfig/w_print.c
--- xfig~/w_print.c
+++ xfig/w_print.c
@@ -295,9 +295,10 @@
 do_print_batch(Widget w)
 {
 	FILE	   *infp,*outfp;
-	char	    tmp_exp_file[32];
+	char	    tmp_exp_file[PATH_MAX];
 	char	    str[255];
 	char	    backgrnd[10], grid[80];
+   int       fd;
 
 	if (writing_batch || emptyfigure_msg(print_msg))
 		return;
@@ -306,11 +307,20 @@
 	/* this could happen if the user presses the button too fast */
 	writing_batch = True;
 
-	/* make a temporary name to write the batch stuff to */
-	sprintf(batch_file, "%s/%s%06d", TMPDIR, "xfig-batch", getpid());
 	/* make a temporary name to write this figure to */
-	sprintf(tmp_exp_file, "%s/%s%06d", TMPDIR, "xfig-exp", getpid());
-	batch_exists = True;
+	snprintf(tmp_exp_file, sizeof(tmp_exp_file), "%s/xfig-exp.XXXXXX",
+		TMPDIR);
+
+	if (batch_exists != True) {
+		/* make a temporary name to write the batch stuff to */
+		sprintf(batch_file, "%s/xfig-batch.XXXXXX", TMPDIR);
+		if ((fd = mkstemp(batch_file)) == -1) {
+			file_msg("Error creating temporary file");
+			return;
+		}
+		close(fd);
+		batch_exists = True;
+	}
 	if (!print_popup) 
 		create_print_panel(w);
 
@@ -323,6 +333,12 @@
 	/* make a #rrggbb string from the background color */
 	make_rgb_string(export_background_color, backgrnd);
 
+	if ((fd = mkstemp(tmp_exp_file)) == -1) {
+		file_msg("Error creating temporary file");
+		return;
+	}
+	close(fd);
+
 	/* get grid params and assemble into fig2dev parm */
 	get_grid_spec(grid, print_grid_minor_text, print_grid_major_text);
 
diff -urNad xfig~/w_srchrepl.c xfig/w_srchrepl.c
--- xfig~/w_srchrepl.c
+++ xfig/w_srchrepl.c
@@ -788,7 +788,7 @@
   char	 *cmd;
   char	  str[300];
   FILE	 *fp;
-  int	  len, i;
+  int	  len, i, fd;
   Boolean done = FALSE;
   static int lines = 0;
 
@@ -804,9 +804,12 @@
   }
   lines = 0;
 
-  sprintf(filename, "%s/xfig-spell.%d", TMPDIR, (int)getpid());
-  fp = fopen(filename, "w");
-  if (fp == NULL) {
+  snprintf(filename, sizeof(filename), "%s/xfig-spell.XXXXXX", TMPDIR);
+  if ((fd = mkstemp(filename)) == -1 || (fp = fdopen(fd, "w")) == NULL) {
+    if (fd != -1) {
+	unlink(filename);
+	close(fd);
+    }
     file_msg("Can't open temporary file: %s: %s\n", filename, strerror(errno));
   } else {
     /* locate all text objects and write them to file fp */


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ