From venglin@lagoon.FreeBSD.lublin.pl Sat Aug 21 04:42:57 1999
Return-Path: <venglin@lagoon.FreeBSD.lublin.pl>
Received: from mx1.lublin.pl (mx1.lublin.pl [212.182.63.76])
	by hub.freebsd.org (Postfix) with ESMTP id 0BBE114FA3
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 21 Aug 1999 04:42:49 -0700 (PDT)
	(envelope-from venglin@lagoon.FreeBSD.lublin.pl)
Received: from lagoon.freebsd.lublin.pl ([212.182.117.180]:14610 "HELO
        lagoon.FreeBSD.lublin.pl") by krupik.man.lublin.pl with SMTP
	id <S1628874AbPHULlC>; Sat, 21 Aug 1999 13:41:02 +0200
Received: (qmail 31191 invoked by uid 1001); 21 Aug 1999 11:42:43 -0000
Message-Id: <19990821114243.31190.qmail@lagoon.FreeBSD.lublin.pl>
Date: 21 Aug 1999 11:42:43 -0000
From: venglin@lagoon.FreeBSD.lublin.pl
Reply-To: venglin@lagoon.FreeBSD.lublin.pl
To: FreeBSD-gnats-submit@freebsd.org
Subject: [SECURITY] Potential IPXrouted(8) /tmp security problem
X-Send-Pr-Version: 3.2

>Number:         13286
>Category:       bin
>Synopsis:       [SECURITY] Potential IPXrouted(8) /tmp security problem
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    jhay
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 21 04:50:01 PDT 1999
>Closed-Date:    Wed Feb 16 09:31:04 PST 2000
>Last-Modified:  Wed Feb 16 09:35:02 PST 2000
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 3.2-STABLE i386
>Organization:
Unia Lubelska High School
>Environment:

	FreeBSD lagoon.FreeBSD.lublin.pl 3.2-STABLE FreeBSD 3.2-STABLE #0: Fri Aug 13 19:51:28 CEST 1999     venglin@lagoon.FreeBSD.lublin.pl:/var/obj/sys/compile/LAGOON  i386

>Description:

	Attacker can overwrite any file by creating link to /tmp/ipxrouted.dmp

>How-To-Repeat:

	$ ln -s /etc/master.passwd /tmp/ipxrouted.dmp

	When root sends SIGINFO to IPXrouted process, file /etc/master.passwd
	is overwritten.

>Fix:
	
	Use mkstemp() when opening dump file.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->jhay 
Responsible-Changed-By: ru 
Responsible-Changed-When: Tue Sep 14 10:23:03 PDT 1999 
Responsible-Changed-Why:  
So John remembers to MFC. 
State-Changed-From-To: open->closed 
State-Changed-By: jhay 
State-Changed-When: Wed Feb 16 09:31:04 PST 2000 
State-Changed-Why:  
Fixed in -current and RELENG_3, revisions 1.9 and 1.7.2.3 of IPXrouted/main.c. 
>Unformatted:
