[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: mailx-5.5 (slackware /bin/mail) security hole
From: Theodore Ts'o <tytso () MIT ! EDU>
Date: 1995-12-23 18:29:43
[Download RAW message or body]
My, the more things change, the more things stay the same. This is an
*old*, *old*, **old** vulnerability. In fact, it's so old that BSD 4.3
(back when dinosaurs prowled the earth :-), introduced the mkstemp()
call to deal with this vulnerability.
int mkstemp(char *template)
Works just like mktemp(), but it returns a file descriptor which is open
for reading and writing. This file descriptor is guaranteed to belong
to a fresly created file. mkstemp() is already in the Linux libc, for
BSD compatibility --- it's just a matter of modifying existing programs
to use it.
It would probably be a good idea for future descriptions of this particular
security problem also included the a fix for getting around this
problem. Using mkstemp(), where available, is a fine way to fix the
problem. If it's not available, it's not terribly hard to write a
mkstemp() function, or to simply use mktemp and open the file with the
O_CREAT and O_EXCL flags.
Regarding the denial of service attack if there are more than 62
conflicting file names --- this sounds like a bug in mktemp() to me! It
clearly should be using a better algorithm if that's all it takes to
trip it up.
- Ted
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic