| Summary: | net-im/ntame-998020954 insecure temporary file creation | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Romang <zataz> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
that code is #ifdef DEBUG'ed out, the ebuild never defines that macro so a user would have to add that to their CFLAGS in order to ever reach the code. Nevertheless, perhaps the O_APPEND should be replaced with O_EXCL or DEBUG_PATH set to "ntaim-debug.log" instead, I would suggest reassigning to net-im herd. conferred with security team, marking INVALID. |
Hello, In ntaim.h #define DEBUG_PERM 0644 #define DEBUG_PATH "/tmp/ntaim-debug.log" Then in debug.c 24 void debug_init() 25 { 26 struct timeval tv; 27 int temp; 28 29 debug_fd = open(DEBUG_PATH, O_WRONLY|O_CREAT|O_APPEND, DEBUG_PERM); 30 if (debug_fd < 0) 31 { 32 write(1, "Cannot open debug file.\n", 24); 33 write(1, "[ Press enter to continue ]\n", 28); 34 read(0, &temp, 3); 35 return; 36 } 37 gettimeofday(&tv, NULL); 38 debug_instance = tv.tv_sec; 39 write(debug_fd, "nTAIM instance ", 15); 40 { 41 char *tmpstr = (char*)alloca(11); 42 itoa(tmpstr, 11, debug_instance); 43 write(debug_fd, tmpstr, strlen(tmpstr)); 44 } 45 write(debug_fd, " started\n", 9); 46 47 return; 48 } The ntname debug is, in my point off view, sensible to symlink attack. The temporary file "tmp/ntaim-debug.log" is know and there is no check if the file already exist or not. Just checking O_WRONLY|O_CREAT|O_APPEND. Regards.