Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Apr 2009 13:05:53 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: CVE id rquest: xfig insecure tmp files

Hi,
it has come to our intention that the Debian package of xfig 
fixes some insecure temporary file creations in various 
places in xfig. I attached the patch.

Can I get a CVE id for this?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

#! /bin/sh /usr/share/dpatch/dpatch-run
## 25_mkstemp.dpatch by Hans de Goede <j.w.r.degoede@....nl>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Temp file vulnerability Security fix!

@DPATCH@
diff -urNad xfig~/f_readeps.c xfig/f_readeps.c
--- xfig~/f_readeps.c
+++ xfig/f_readeps.c
@@ -250,11 +250,10 @@
     int         urx, llx, ury, lly;
     int         pdf_flag;
 {
-    static	tempseq = 0;
     char        buf[300];
     FILE       *tmpfp, *pixfile, *gsfile;
     char       *psnam, *driver;
-    int         status, wid, ht, nbitmap;
+    int         status, wid, ht, nbitmap, fd;
     char        tmpfile[PATH_MAX],
 		pixnam[PATH_MAX],
 		errnam[PATH_MAX],
@@ -270,8 +269,12 @@
 	/* re-open the pipe */
 	close_picfile(file, filetype);
 	file = open_picfile(tmpfile, &filetype, PIPEOK, pixnam);
-	sprintf(tmpfile, "%s/%s%06d", TMPDIR, "xfig-eps", getpid());
-	if ((tmpfp = fopen(tmpfile, "wb")) == NULL) {
+   snprintf(tmpfile, sizeof(tmpfile), "%s/xfig-eps.XXXXXX", TMPDIR);
+   if ((fd = mkstemp(tmpfile)) == -1 || (tmpfp = fdopen(fd, "wb")) == NULL) {
+       if (fd != -1) {
+         unlink(tmpfile);
+         close(fd);
+       }
 	    file_msg("Couldn't open tmp file %s, %s", tmpfile, strerror(errno));
 	    return False;
 	}
@@ -280,10 +283,20 @@
 	fclose(tmpfp);
     }
     /* make name /TMPDIR/xfig-pic######.pix */
-    sprintf(pixnam, "%s/%s%06d.pix", TMPDIR, "xfig-pic", tempseq);
+    snprintf(pixnam, sizeof(pixnam), "%s/xfig-pic.XXXXXX", TMPDIR);
+    if ((fd = mkstemp(pixnam)) == -1) {
+        file_msg("Couldn't open tmp file %s, %s", pixnam, strerror(errno));
+        return False;
+    }
+    close(fd);
+
     /* and file name for any error messages from gs */
-    sprintf(errnam, "%s/%s%06d.err", TMPDIR, "xfig-pic", tempseq);
-    tempseq++;
+    snprintf(errnam, sizeof(errnam), "%s/xfig-picerr.XXXXXX", TMPDIR);
+    if ((fd = mkstemp(errnam)) == -1) {
+       file_msg("Couldn't open tmp file %s, %s", errnam, strerror(errno));
+       return False;
+    }
+    close(fd);
 
     /* generate gs command line */
     /* for monochrome, use pbm */
diff -urNad xfig~/f_readgif.c xfig/f_readgif.c
--- xfig~/f_readgif.c
+++ xfig/f_readgif.c
@@ -76,7 +76,7 @@
 	char		buf[BUFLEN],pcxname[PATH_MAX];
 	FILE		*giftopcx;
 	struct Cmap 	localColorMap[MAX_COLORMAP_SIZE];
-	int		i, stat, size;
+	int		i, stat, size, fd;
 	int		useGlobalColormap;
 	unsigned int	bitPixel, red, green, blue;
 	unsigned char	c;
@@ -173,7 +173,13 @@
 	/* now call giftopnm and ppmtopcx */
 
 	/* make name for temp output file */
-	sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid());
+	snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR);
+	if ((fd = mkstemp(pcxname)) == -1) {
+		file_msg("Cannot create temporary file\n");
+		return FileInvalid;
+	}
+	close(fd);
+
 	/* make command to convert gif to pcx into temp file */
 	sprintf(buf, "giftopnm -quiet | ppmtopcx -quiet > %s", pcxname);
 	if ((giftopcx = popen(buf,"w" )) == 0) {
diff -urNad xfig~/f_readppm.c xfig/f_readppm.c
--- xfig~/f_readppm.c
+++ xfig/f_readppm.c
@@ -34,10 +34,16 @@
 {
 	char	 buf[BUFLEN],pcxname[PATH_MAX];
 	FILE	*giftopcx;
-	int	 stat, size;
+	int	 stat, size, fd;
 
 	/* make name for temp output file */
-	sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid());
+	snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR);
+	if ((fd = mkstemp(pcxname)) == -1) {
+	    file_msg("Cannot open temp file %s: %s\n", pcxname, strerror(errno));
+	    return FileInvalid;
+	}
+	close(fd);
+
 	/* make command to convert gif to pcx into temp file */
 	sprintf(buf, "ppmtopcx > %s 2> /dev/null", pcxname);
 	if ((giftopcx = popen(buf,"w" )) == 0) {
diff -urNad xfig~/f_readtif.c xfig/f_readtif.c
--- xfig~/f_readtif.c
+++ xfig/f_readtif.c
@@ -33,11 +33,16 @@
 {
 	char	 buf[2*PATH_MAX+40],pcxname[PATH_MAX];
 	FILE	*tiftopcx;
-	int	 stat;
+	int	 stat, fd;
 
 	/* make name for temp output file */
-	sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid());
-
+	snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR);
+	if ((fd = mkstemp(pcxname)) == -1) {
+	    file_msg("Cannot open temp file %s: %s\n", pcxname, strerror(errno));
+		return FileInvalid;
+	}
+	close(fd);
+	
 	/* make command to convert tif to pnm then to pcx into temp file */
 	/* for some reason, tifftopnm requires a file and can't work in a pipe */
 	sprintf(buf, "tifftopnm %s 2> /dev/null | ppmtopcx > %s 2> /dev/null",
diff -urNad xfig~/f_util.c xfig/f_util.c
--- xfig~/f_util.c
+++ xfig/f_util.c
@@ -906,14 +906,20 @@
 int strain_out(char *name)
 {
     char    line[RC_BUFSIZ+1], *tok;
+    int fd;
 
     /* make a temp filename in the user's home directory so we
        can just rename it to .xfigrc after creating it */
-    sprintf(tmpname, "%s/%s%06d", userhome, "xfig-xfigrc", getpid());
-    tmpf = fopen(tmpname,"wb");
-    if (tmpf == 0) {
-	file_msg("Can't make temporary file for .xfigrc - error: %s",strerror(errno));
-	return -1;	
+    snprintf(tmpname, sizeof(tmpname), "%s/xfig-xfigrc.XXXXXX", userhome);
+
+    if ((fd = mkstemp(tmpname)) == -1 || (tmpf = fdopen(fd, "wb")) == NULL) {
+       file_msg("Can't make temporary file for .xfigrc - error: %s",
+              strerror(errno));
+       if (fd != -1) {
+          unlink(tmpname);
+          close(fd);
+       }
+       return -1;
     }
     /* read the .xfigrc file and write all to temp file except file names */
     xfigrc = fopen(xfigrc_name,"r");
diff -urNad xfig~/main.c xfig/main.c
--- xfig~/main.c
+++ xfig/main.c
@@ -657,8 +657,10 @@
     update_figs = False;
 
     /* get the TMPDIR environment variable for temporary files */
-    if ((TMPDIR = getenv("XFIGTMPDIR"))==NULL)
-	TMPDIR = "/tmp";
+    if ((TMPDIR = getenv("XFIGTMPDIR"))==NULL) {
+		if ((TMPDIR = getenv("TMPDIR")) == NULL)
+			TMPDIR = "/tmp";
+	}
 
     /* first check args to see if user wants to scale the figure as it is
 	read in and make sure it is a resonable (positive) number */
@@ -1673,7 +1675,14 @@
     if (userhome != NULL && *strcpy(cut_buf_name, userhome) != '\0') {
 	strcat(cut_buf_name, "/.xfig");
     } else {
-	sprintf(cut_buf_name, "%s/xfig%06d", TMPDIR, getpid());
+		int fd;
+		sprintf(cut_buf_name, "%s/xfig.XXXXXX", TMPDIR);
+		if ((fd = mkstemp(cut_buf_name)) == -1) {
+			fprintf(stderr, "Can't create temporary file for cut_buff: %s\n",
+					strerror(errno));
+			exit(0);
+		}
+		close(fd);
     }
 }
 
diff -urNad xfig~/mode.c xfig/mode.c
--- xfig~/mode.c
+++ xfig/mode.c
@@ -86,7 +86,7 @@
 
 int		cur_exp_lang;		/* gets initialized in main.c */
 Boolean		batch_exists = False;
-char		batch_file[32];
+char		batch_file[PATH_MAX];
 
 /*******************************************************************/
 /* If you change the order of the lang_items[] you must change the */
diff -urNad xfig~/u_print.c xfig/u_print.c
--- xfig~/u_print.c
+++ xfig/u_print.c
@@ -92,9 +92,16 @@
     char	    syspr[2*PATH_MAX+200];
     char	    tmpfile[PATH_MAX];
     char	   *name;
+    int     fd;
 
-    sprintf(tmpfile, "%s/%s%06d", TMPDIR, "xfig-print", getpid());
+    snprintf(tmpfile, sizeof(tmpfile), "%s/xfig-print.XXXXXX", TMPDIR);
     warnexist = False;
+    if ((fd = mkstemp(tmpfile)) == -1) {
+       file_msg("Can't open temp file %s: %s\n", tmpfile, strerror(errno));
+       return;
+    }
+    close(fd);
+
     init_write_tmpfile();
     if (write_file(tmpfile, False)) {
       end_write_tmpfile();
@@ -671,10 +678,16 @@
     char   errfname[PATH_MAX];
     FILE  *errfile;
     char   str[400];
-    int	   status;
+    int	   status, fd;
 
     /* make temp filename for any errors */
-    sprintf(errfname, "%s/xfig-export%06d.err", TMPDIR, getpid());
+    snprintf(errfname, sizeof(errfname), "%s/xfig-export.XXXXXX", TMPDIR);
+    if ((fd = mkstemp(errfname)) == -1) {
+	file_msg("Can't open temp file %s: %s\n", errfname, strerror(errno));
+	return 1;
+    }
+    close(fd);
+    
     /* direct any output from fig2dev to this file */
     strcat(command, " 2> "); 
     strcat(command, errfname); 
diff -urNad xfig~/w_print.c xfig/w_print.c
--- xfig~/w_print.c
+++ xfig/w_print.c
@@ -295,9 +295,10 @@
 do_print_batch(Widget w)
 {
 	FILE	   *infp,*outfp;
-	char	    tmp_exp_file[32];
+	char	    tmp_exp_file[PATH_MAX];
 	char	    str[255];
 	char	    backgrnd[10], grid[80];
+   int       fd;
 
 	if (writing_batch || emptyfigure_msg(print_msg))
 		return;
@@ -306,11 +307,20 @@
 	/* this could happen if the user presses the button too fast */
 	writing_batch = True;
 
-	/* make a temporary name to write the batch stuff to */
-	sprintf(batch_file, "%s/%s%06d", TMPDIR, "xfig-batch", getpid());
 	/* make a temporary name to write this figure to */
-	sprintf(tmp_exp_file, "%s/%s%06d", TMPDIR, "xfig-exp", getpid());
-	batch_exists = True;
+	snprintf(tmp_exp_file, sizeof(tmp_exp_file), "%s/xfig-exp.XXXXXX",
+		TMPDIR);
+
+	if (batch_exists != True) {
+		/* make a temporary name to write the batch stuff to */
+		sprintf(batch_file, "%s/xfig-batch.XXXXXX", TMPDIR);
+		if ((fd = mkstemp(batch_file)) == -1) {
+			file_msg("Error creating temporary file");
+			return;
+		}
+		close(fd);
+		batch_exists = True;
+	}
 	if (!print_popup) 
 		create_print_panel(w);
 
@@ -323,6 +333,12 @@
 	/* make a #rrggbb string from the background color */
 	make_rgb_string(export_background_color, backgrnd);
 
+	if ((fd = mkstemp(tmp_exp_file)) == -1) {
+		file_msg("Error creating temporary file");
+		return;
+	}
+	close(fd);
+
 	/* get grid params and assemble into fig2dev parm */
 	get_grid_spec(grid, print_grid_minor_text, print_grid_major_text);
 
diff -urNad xfig~/w_srchrepl.c xfig/w_srchrepl.c
--- xfig~/w_srchrepl.c
+++ xfig/w_srchrepl.c
@@ -788,7 +788,7 @@
   char	 *cmd;
   char	  str[300];
   FILE	 *fp;
-  int	  len, i;
+  int	  len, i, fd;
   Boolean done = FALSE;
   static int lines = 0;
 
@@ -804,9 +804,12 @@
   }
   lines = 0;
 
-  sprintf(filename, "%s/xfig-spell.%d", TMPDIR, (int)getpid());
-  fp = fopen(filename, "w");
-  if (fp == NULL) {
+  snprintf(filename, sizeof(filename), "%s/xfig-spell.XXXXXX", TMPDIR);
+  if ((fd = mkstemp(filename)) == -1 || (fp = fdopen(fd, "w")) == NULL) {
+    if (fd != -1) {
+	unlink(filename);
+	close(fd);
+    }
     file_msg("Can't open temporary file: %s: %s\n", filename, strerror(errno));
   } else {
     /* locate all text objects and write them to file fp */


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ