hello list, i noted that the patch provided ( http://www.winehq.org/hypermail/wine-devel/2005/03/0624.html ) to fix that problem isn't secure yet, because a symlink attack could be possible if /tmp is a mounted NFS file system.
Indeed:
1)The name of the file in /tmp is easly predictable , it uses getpid(); 2)O_EXCL when used with O_CREAT, if the file already exists it is an error and the open will fail. O_EXCL is broken on NFS file systems, programs which rely on it for performing locking tasks will contain a race condition.
Possible fix using tempnam() function to generate a psued-random string for tmp file name: _______________________________________________________________ --- misc/registry.c Thu Mar 24 13:36:43 2005 +++ misc/registry.c Thu Mar 24 13:46:46 2005 @@ -1222,12 +1222,11 @@ static LPSTR _get_tmp_fn(FILE **f) { LPSTR ret; - int tmp_fd,count; + int tmp_fd;
- ret = _xmalloc(50); - for (count = 0;;) { - sprintf(ret,"/tmp/reg%lx%04x.tmp",(long)getpid(),count++); - if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0666)) != -1) break; + for (;;) { + ret = tempnam("/tmp", "reg"); + if ((tmp_fd = open(ret,O_CREAT | O_EXCL | O_WRONLY,0600)) != -1) break; if (errno != EEXIST) { ERR("Unexpected error while open() call: %s\n",strerror(errno)); free(ret); _______________________________________________________________
Best regard,
Giovanni Delvecchio
On Thu, Mar 24, 2005 at 03:27:29PM +0100, Giovanni Delvecchio wrote:
hello list, i noted that the patch provided ( http://www.winehq.org/hypermail/wine-devel/2005/03/0624.html ) to fix that problem isn't secure yet, because a symlink attack could be possible if /tmp is a mounted NFS file system.
Actually the tmp handling in misc/registry.c is fully gone after the 20050310 release.
Ciao, Marcus