From nobody@FreeBSD.org  Tue Feb 22 22:53:24 2000
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 7E9F437B89D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Feb 2000 22:53:24 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id WAA66054;
	Tue, 22 Feb 2000 22:53:24 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Message-Id: <200002230653.WAA66054@freefall.freebsd.org>
Date: Tue, 22 Feb 2000 22:53:24 -0800 (PST)
From: spock@techfour.net
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] prevent possible race condition in sort
X-Send-Pr-Version: www-1.0

>Number:         16929
>Category:       bin
>Synopsis:       [PATCH] prevent possible race condition in sort
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 22 23:00:01 PST 2000
>Closed-Date:    Fri Feb 2 02:46:56 PST 2001
>Last-Modified:  Fri Feb 02 02:47:09 PST 2001
>Originator:     Mike Heffner
>Release:        4.0-current
>Organization:
>Environment:
FreeBSD 4.0-CURRENT #0: Sat Feb 19 20:05:45 EST 2000 
>Description:
sort can create the following predictable tempfiles:
/tmp/sort{pid}{seq}

>How-To-Repeat:
run sort
>Fix:
Since sort can create many tempfiles, we should leave it's current
naming scheme alone, rather create a secure dir in TMP with mkdtemp(3),
and let sort dumps it's file in there.

Apply the following patch, sorry there might be whitespace bugs =(

Index: gnu/usr.bin/sort/sort.c
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/sort/sort.c,v
retrieving revision 1.15
diff -u -r1.15 sort.c
--- sort.c      1999/04/25 22:14:05     1.15
+++ sort.c      2000/02/23 06:45:13
@@ -171,6 +171,8 @@
 
 /* Prefix for temporary file names. */
 static char *temp_file_prefix;
+/* Temporary dir for temp files, *with* above prefix */
+static char *temp_dir = NULL;
 
 /* Flag to reverse the order of all comparisons. */
 static int reverse;
@@ -288,6 +290,9 @@
 
   for (node = temphead.next; node; node = node->next)
     unlink (node->name);
+  if( temp_dir )
+    rmdir(temp_dir);
+
 }
 
 /* Allocate N bytes of memory dynamically, with error checking.  */
@@ -413,6 +418,7 @@
     }
 }
 
+#define DIR_TEMPLATE    "sortXXXXXXXXXX"
 /* Return a name for a temporary file. */
 
 static char *
@@ -420,15 +426,29 @@
 {
   static unsigned int seq;
   int len = strlen (temp_file_prefix);
-  char *name = xmalloc (len + 1 + sizeof ("sort") - 1 + 5 + 5 + 1);
+  char *name=xmalloc(len + 1 + sizeof(DIR_TEMPLATE)-1 + 1 + sizeof("sort")-1 + 5 + 5 + 1);
   struct tempnode *node;
 
   node = (struct tempnode *) xmalloc (sizeof (struct tempnode));
+  if( !temp_dir )
+         {
+                 temp_dir = xmalloc( len + 1 + sizeof(DIR_TEMPLATE) );
+                 sprintf(temp_dir,
+                                 "%s%s%s",
+                                 temp_file_prefix,
+                                 (len && temp_file_prefix[len - 1] != '/') ? "/" : "",
+                                 DIR_TEMPLATE);
+                 if( mkdtemp(temp_dir) == NULL )
+                         {
+                                 error(0, errno, _("can't make temp dir"));
+                                 exit(2);
+                         }
+         }
+
   sprintf (name,
-          "%s%ssort%5.5d%5.5d",
-          temp_file_prefix,
-          (len && temp_file_prefix[len - 1] != '/') ? "/" : "",
-          (unsigned int) getpid () & 0xffff, seq);
+                  "%s/sort%5.5d%5.5d",
+                  temp_dir,
+                  (unsigned int) getpid () & 0xffff, seq);
 
   /* Make sure that SEQ's value fits in 5 digits.  */
   ++seq;


>Release-Note:
>Audit-Trail:

From: Tim Vanderhoek <tim@localhost.nowhere>
To: freebsd-gnats-submit@FreeBSD.org, spock@techfour.net
Cc: vanderh@ecf.toronto.edu
Subject: Re: bin/16929: [PATCH] prevent possible race condition
Date: Tue, 16 May 2000 00:36:58 -0400 (EDT)

 >
 >sort can create the following predictable tempfiles:
 >/tmp/sort{pid}{seq}
 
 It appears that the security implications of this have already been
 fixed in rev.1.11 of src/gnu/usr.bin/sort/sort.c.
 
 
 >   Fix
 >          
 >Since sort can create many tempfiles, we should leave it's current
 >naming scheme alone, rather create a secure dir in TMP with mkdtemp(3),
 >and let sort dumps it's file in there.
 >
 >Apply the following patch, sorry there might be whitespace bugs =(
 >
 >Index: gnu/usr.bin/sort/sort.c
 >===================================================================
 >RCS file: /home/ncvs/src/gnu/usr.bin/sort/sort.c,v
 >retrieving revision 1.15
 >diff -u -r1.15 sort.c
 >--- sort.c      1999/04/25 22:14:05     1.15
 >+++ sort.c      2000/02/23 06:45:13
 >@@ -171,6 +171,8 @@
 >
 > /* Prefix for temporary file names. */
 > static char *temp_file_prefix;
 >+/* Temporary dir for temp files, *with* above prefix */
 >+static char *temp_dir = NULL;
 >
 > /* Flag to reverse the order of all comparisons. */
 > static int reverse;
 >@@ -288,6 +290,9 @@
 >
 >   for (node = temphead.next; node; node = node->next)
 >     unlink (node->name);
 >+  if( temp_dir )
 >+    rmdir(temp_dir);
 >+
 > }
 >
 > /* Allocate N bytes of memory dynamically, with error checking.  */
 >@@ -413,6 +418,7 @@
 >     }
 > }
 >
 >+#define DIR_TEMPLATE    "sortXXXXXXXXXX"
 > /* Return a name for a temporary file. */
 >
 > static char *
 >@@ -420,15 +426,29 @@
 > {
 >   static unsigned int seq;
 >   int len = strlen (temp_file_prefix);
 >-  char *name = xmalloc (len + 1 + sizeof ("sort") - 1 + 5 + 5 + 1);
 >+  char *name=xmalloc(len + 1 + sizeof(DIR_TEMPLATE)-1 + 1 + sizeof("sort")-1 +
 > 5 + 5 + 1);
 >   struct tempnode *node;
 >
 >   node = (struct tempnode *) xmalloc (sizeof (struct tempnode));
 >+  if( !temp_dir )
 >+         {
 >+                 temp_dir = xmalloc( len + 1 + sizeof(DIR_TEMPLATE) );
 >+                 sprintf(temp_dir,
 >+                                 "%s%s%s",
 >+                                 temp_file_prefix,
 >+                                 (len && temp_file_prefix[len - 1] != '/') ? "
 >/" : "",
 >+                                 DIR_TEMPLATE);
 >+                 if( mkdtemp(temp_dir) == NULL )
 >+                         {
 >+                                 error(0, errno, _("can't make temp dir"));
 >+                                 exit(2);
 >+                         }
 >+         }
 >+
 >   sprintf (name,
 >-          "%s%ssort%5.5d%5.5d",
 >-          temp_file_prefix,
 >-          (len && temp_file_prefix[len - 1] != '/') ? "/" : "",
 >-          (unsigned int) getpid () & 0xffff, seq);
 >+                  "%s/sort%5.5d%5.5d",
 >+                  temp_dir,
 >+                  (unsigned int) getpid () & 0xffff, seq);
 >
 >   /* Make sure that SEQ's value fits in 5 digits.  */
 >   ++seq;
 >
 >
 >   [4]Submit Followup
 >     _________________________________________________________________
 >   
 >   
 >    [5]www@FreeBSD.org
 

From: Mike Heffner <mheffner@mailandnews.com>
To: spock@techfour.net
Cc: vanderh@ecf.toronto.edu, freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/16929: [PATCH] prevent possible race condition
Date: Wed, 17 May 2000 16:34:49 -0400 (EDT)

 On 16-May-2000 Tim Vanderhoek wrote:
 | >
 | >sort can create the following predictable tempfiles:
 | >/tmp/sort{pid}{seq}
 |  
 |  It appears that the security implications of this have already been
 |  fixed in rev.1.11 of src/gnu/usr.bin/sort/sort.c.
 |  
 
 yes, i suppose they have been. however, as sort can create multiple tempfiles it
 was suggested that they be kept in one directory per sort process running (see
 thread in -audit list), rather than dumping them all in the temp dir.
 
 later,
 
 
 
 -
   Mike Heffner  <spock@techfour.net>
   Fredericksburg, VA     ICQ# 882073
   http://my.ispchannel.com/~mheffner
 -
 

From: Mike Heffner <mheffner@vt.edu>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: RE: bin/16929: [PATCH] prevent possible race condition in sort
Date: Tue, 30 Jan 2001 14:08:52 -0500 (EST)

 On 23-Feb-2000 spock@techfour.net wrote:
 | 
 |>Number:         16929
 |>Category:       bin
 |>Synopsis:       [PATCH] prevent possible race condition in sort
 
 This was fixed in rev 1.18, so it can be closed.
 
 -- 
 
   Mike Heffner       <mheffner@vt.edu>
   Blacksburg, VA           ICQ# 882073
   http://filebox.vt.edu/users/mheffner
 
 
State-Changed-From-To: open->closed 
State-Changed-By: kris 
State-Changed-When: Fri Feb 2 02:46:56 PST 2001 
State-Changed-Why:  
Problem resolved. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16929 
>Unformatted:
