Bug 97608 - insecure temporary file creation
Summary: insecure temporary file creation
Alias: None
Product: kdelibs
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR normal
Target Milestone: ---
Assignee: Stephan Kulow
Depends on:
Reported: 2005-01-21 17:27 UTC by Davide Madrisan
Modified: 2005-02-16 10:37 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

A patch that uses mktemp (694 bytes, patch)
2005-01-21 17:30 UTC, Davide Madrisan

Note You need to log in before you can comment on or make changes to this bug.
Description Davide Madrisan 2005-01-21 17:27:42 UTC
Version:            (using KDE KDE 3.3.2)
Installed from:    Compiled From Sources
Compiler:          gcc (GCC) 3.4.3 
OS:                Linux

the script 
creates temporary files with names created in a unsecure manner (a fixed name with the process ID ($$) at the end).
Comment 1 Davide Madrisan 2005-01-21 17:30:09 UTC
Created attachment 9205 [details]
A patch that uses mktemp
Comment 2 Stephan Kulow 2005-01-21 17:58:51 UTC
Am Freitag 21 Januar 2005 17:30 schrieb Davide Madrisan:
> ------- Additional Comments From davide.madrisan qilinux it  2005-01-21
> 17:30 ------- Created an attachment (id=9205)
>  --> (http://bugs.kde.org/attachment.cgi?id=9205&action=view)
> A patch that uses mktemp
Unfortunately mktemp is not portable, but there is no reason the file has to 
be in /tmp

Greetings, Stephan

Comment 3 Stephan Kulow 2005-01-21 17:59:32 UTC
CVS commit by coolo: 

don't create guessable files in /tmp
BUG: 97608

  M +5 -3      dcopidlng   1.7

--- kdelibs/dcop/dcopidlng/dcopidlng  #1.6:1.7
@@ -1,13 +1,15 @@
+trap "rm -f dcopidlng.stderr.$$"
 if test -z "$KDECONFIG"; then
 LIBDIR="`$KDECONFIG --install data --expandvars`/dcopidlng"
-perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2>/tmp/dcopidlng.stderr.$$
+perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> dcopidlng.stderr.$$
 if [ $RET -ne 0 ]
-   cat /tmp/dcopidlng.stderr.$$ >&2
+   cat dcopidlng.stderr.$$ >&2
-rm /tmp/dcopidlng.stderr.$$
 exit $RET

Comment 4 René Rhéaume 2005-02-14 15:28:02 UTC
How this can be more secure? The file name pattern is still predictable.

Also, does the perl command emits output on stdout normally? If not, get rid of the temporary file file handling and put exit $? at the end instead.
Comment 5 Stephan Kulow 2005-02-14 15:51:54 UTC
but the file name is not in a global directory, so the file name being predictable doesn't matter as only the user can write there.
Comment 6 Carsten Lohrke 2005-02-15 21:33:35 UTC
In http://bugs.gentoo.org/show_bug.cgi?id=81652 Tavis Ormandy pointed out:

>The fix suggested upstream does not look acceptable, it doesnt solve the issue
>of predicatable temp files (what if the user executes the script in /tmp?), and
>it would break if the user ran the script with a working directory they dont
>have write permissions to.

I think he's right.
Comment 7 Stephan Kulow 2005-02-16 10:37:30 UTC
If the user compiles KDE in /tmp there are tons more of predictable files created - like tons of .o files, config.status, etc. I don't see the point. And these files do not even predictable names but fixed names. So you better make your users aware not to call random things when being in /tmp.