Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 29 Jun 2012 10:12:29 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: office2john.c uses mktemp()

On Fri, Jun 29, 2012 at 2:17 AM, Solar Designer <solar@...nwall.com> wrote:
> Dhiru, all -
>
> I've just noticed this:
>
>        dirname = mktemp(template);
>        if (!dirname) {
>                perror("mkdtemp");
>                exit(-1);
>        }
>        outfile = gsf_outfile_stdio_new(dirname, &err);
>        if (outfile == NULL) {
>
> I hope gsf_outfile_stdio_new() will return NULL if the directory name is
> already taken, so this is not a security hole then (otherwise it is!),
> but even if so this has two issues:

I will try this soon and see what happens.

> 1. mktemp() is deprecated, to the point that some systems will give
> scary warnings and some might not even provide the function.

Will replace it with mkstemp.

> 2. In the perror() call, it says "mkdtemp", whereas the function that
> was actually called was mktemp().

Typo. Message inside perror should be mktemp. gsf_outfile_stdio_new
itself creates the folder IIRC.

> Do you see an easy fix for this?  If so, please propose one in here
> first, don't commit any fix right away.

Replace mktemp by mkstemp and ensure that gsf_outfile_stdio_new works
correctly.

I will do some tests and report back.

-- 
Cheers,
Dhiru

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.