Re: temporary file race in texindex

[Frank Küster]

address@hidden (Karl Berry) wrote:

>     > This has been assigned CAN-2005-3011, please mention this number in
>     > the changelog when you fix this to allow easy tracking.
>
> Someone, please send me the actual bug report, and (hopefully) a fix.

Excuse me - any Debian bug report can be accessed via its bug number, so
this time it is

http://bugs.debian.org/328365

The text is:

,----
| There is a race condition on creating temporary files in texindex.
| The following function generates the name of the temporary file:
| static char *
| maketempname (int count)
| {
|   static char *tempbase = NULL;
|   char tempsuffix[10];
| 
|   if (!tempbase)
|     {
|       int fd;
|       tempbase = concat (tempdir, "txidxXXXXXX");
| 
|       fd = mkstemp (tempbase);
|       if (fd == -1)
|         pfatal_with_name (tempbase);
|     }
| 
|   sprintf (tempsuffix, ".%d", count);
|   return concat (tempbase, tempsuffix);
| }
| 
| which is used later as
| 
|  char *outname = maketempname (++tempcount);
|  FILE *ostream = fopen (outname, "w");
| 
| Since the further filenames are deterministic after the first one
| is generated, this is easily exploitable.
| The use case is rather rare though since the temporary file are only
| generated if the file to sort is longer than 50.000 lines which is
| probably not too common.
`----

Frank also commented on a potential patch:

,----
| In OpenBSD this seems to have been fixed in 2000 (sic!), see this patch
| 
http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/texinfo/util/texindex.c.diff?r1=1.2&r2=1.3
| (which probably doesn't apply today cleanly anymore but could be adapted).
| It introduces a possibility for DoS but fixes the race...
| 
`----

I don't see why texindex cannot simply use completely random filenames?
They are saved in an array and accessed as tempfiles[i], anyway.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer