Re: bash and /tmp/ ... another one

[Solar Designer]

Hi,

> While scanning huge grep logs, I found another /tmp race condition in 
> bash/bash2.
> 
> Actually there are 3 occurences, but only 1 of them is for real I think.

Yes, it seems so, -- and I've missed this one when grepping bash-2.04
a month ago (it's not in a *.c file, and there're lots of other /tmp
problems in tests/* and support/* scripts, which I wasn't going to fix
at this stage).

> builtins/fc.def:      "/tmp/bash%d" 
>                       fopen("w")
> 
>       This is the visual history editor. Affected.

I've updated the bash-2.04 patch we have in Owl to include a fix for
this as well, and am attaching the patch.  It uses mkstemp(), but is
meant to be portable if a mkstemp() substitute is included with bash.

The patch also uses $TMPDIR (if set).

> subst.c:
>         tname = mktemp (savestring ("/tmp/sh-np-XXXXXX"));
>         if (mkfifo (tname, 0600) < 0)
> 
>         mkfifo fortunately does not appear to follow symlinks on Linux.

Yes, and this code isn't compiled in on Linux (which has /dev/fd),
but I am patching it anyway (due to the DoS possibility this has),
just for completeness.

-- 
/sd

bash-2.04-owl-tmp.diff
Description: Text document