Bug 97608

Summary: insecure temporary file creation
Product: [Frameworks and Libraries] kdelibs Reporter: Davide Madrisan <davide.madrisan>
Component: generalAssignee: Stephan Kulow <coolo>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: A patch that uses mktemp

Description Davide Madrisan 2005-01-21 17:27:42 UTC 
Version:            (using KDE KDE 3.3.2)
Installed from:    Compiled From Sources
Compiler:          gcc (GCC) 3.4.3 
OS:                Linux

the script 
kdelibs-3.3.2/dcop/dcopidlng/dcopidlng
creates temporary files with names created in a unsecure manner (a fixed name with the process ID ($$) at the end).
Comment 1 Davide Madrisan 2005-01-21 17:30:09 UTC 
Created attachment 9205 [details]
A patch that uses mktemp
Comment 2 Stephan Kulow 2005-01-21 17:58:51 UTC 
Am Freitag 21 Januar 2005 17:30 schrieb Davide Madrisan:
> ------- Additional Comments From davide.madrisan qilinux it  2005-01-21
> 17:30 ------- Created an attachment (id=9205)
>  --> (http://bugs.kde.org/attachment.cgi?id=9205&action=view)
> A patch that uses mktemp
Unfortunately mktemp is not portable, but there is no reason the file has to 
be in /tmp

Greetings, Stephan
Comment 3 Stephan Kulow 2005-01-21 17:59:32 UTC 
CVS commit by coolo: 

don't create guessable files in /tmp
BUG: 97608


  M +5 -3      dcopidlng   1.7


--- kdelibs/dcop/dcopidlng/dcopidlng  #1.6:1.7
@@ -1,13 +1,15 @@
 #!/bin/sh
+
+trap "rm -f dcopidlng.stderr.$$"
+
 if test -z "$KDECONFIG"; then
     KDECONFIG=kde-config
 fi
 LIBDIR="`$KDECONFIG --install data --expandvars`/dcopidlng"
-perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2>/tmp/dcopidlng.stderr.$$
+perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> dcopidlng.stderr.$$
 RET=$?
 if [ $RET -ne 0 ]
 then
-   cat /tmp/dcopidlng.stderr.$$ >&2
+   cat dcopidlng.stderr.$$ >&2
 fi
-rm /tmp/dcopidlng.stderr.$$
 exit $RET
Comment 4 René Rhéaume 2005-02-14 15:28:02 UTC 
coolo: 
How this can be more secure? The file name pattern is still predictable.

Also, does the perl command emits output on stdout normally? If not, get rid of the temporary file file handling and put exit $? at the end instead.
Comment 5 Stephan Kulow 2005-02-14 15:51:54 UTC 
but the file name is not in a global directory, so the file name being predictable doesn't matter as only the user can write there.
Comment 6 Carsten Lohrke 2005-02-15 21:33:35 UTC 
In http://bugs.gentoo.org/show_bug.cgi?id=81652 Tavis Ormandy pointed out:

>The fix suggested upstream does not look acceptable, it doesnt solve the issue
>of predicatable temp files (what if the user executes the script in /tmp?), and
>it would break if the user ran the script with a working directory they dont
>have write permissions to.

I think he's right.
Comment 7 Stephan Kulow 2005-02-16 10:37:30 UTC 
If the user compiles KDE in /tmp there are tons more of predictable files created - like tons of .o files, config.status, etc. I don't see the point. And these files do not even predictable names but fixed names. So you better make your users aware not to call random things when being in /tmp.