Tripwire Insecure Temporary File Symbolic Link Vulnerability

Solution:
The following patches were posted by Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>.

Tripwire 1.3.1:

--- src/config.parse.c.orig Tue Jun 13 23:24:14 2000
+++ src/config.parse.c Tue Jun 13 23:30:35 2000
@@ -55,7 +55,6 @@
#endif

/* prototypes */
-char *mktemp();
static void configfile_descend();

#ifndef L_tmpnam
@@ -105,8 +104,8 @@
};
(void) strcpy(tmpfilename, TEMPFILE_TEMPLATE);

- if ((char *) mktemp(tmpfilename) == NULL) {
- perror("configfile_read: mktemp()");
+ if (mkstemp(tmpfilename) == -1) {
+ perror("configfile_read: mkstemp()");
exit(1);
}

--- src/dbase.build.c.orig Tue May 4 17:31:00 1999
+++ src/dbase.build.c Tue Jun 13 23:40:06 2000
@@ -60,7 +60,6 @@
int files_scanned_num = 0;

/* prototypes */
-char *mktemp();

/* new database checking routines */
static void database_record_write();
@@ -135,8 +134,8 @@
die_with_err("malloc() failed in database_build", (char *) NULL);
(void) strcpy(tmpfilename, TEMPFILE_TEMPLATE);

- if ((char *) mktemp(tmpfilename) == NULL)
- die_with_err("database_build: mktemp()", (char *) NULL);
+ if (mkstemp(tmpfilename) == -1)
+ die_with_err("database_build: mkstemp()", (char *) NULL);

(void) strcpy(tempdatabase_file, tmpfilename);
(void) strcpy(database, tempdatabase_file);
@@ -814,8 +813,8 @@
/* build temporary file name */
(void) strcpy(backup_name, TEMPFILE_TEMPLATE);

- if ((char *) mktemp(backup_name) == NULL) {
- die_with_err("copy_database_to_backup: mktemp() failed!", NULL);
+ if (mkstemp(backup_name) == -1) {
+ die_with_err("copy_database_to_backup: mkstemp() failed!", NULL);
}

strcpy (database_backupfile, backup_name);
--- src/siggen.c.orig Tue Jun 13 23:42:53 2000
+++ src/siggen.c Tue Jun 13 23:43:27 2000
@@ -52,7 +52,6 @@

extern int optind;
int debuglevel = 0;
-char *mktemp();

int (*pf_signatures [NUM_SIGS]) () = {
SIG0FUNC,
@@ -172,8 +171,8 @@
};
(void) strcpy(tmpfilename, "/tmp/twzXXXXXX");

- if ((char *) mktemp(tmpfilename) == NULL) {
- perror("siggen: mktemp()");
+ if (mkstemp(tmpfilename) == -1) {
+ perror("siggen: mkstemp()");
exit(1);
}

--- src/utils.c.orig Tue Jun 13 23:43:01 2000
+++ src/utils.c Tue Jun 13 23:43:50 2000
@@ -856,8 +856,8 @@
int fd;

(void) strcpy(tmp, TEMPFILE_TEMPLATE);
- if ((char *) mktemp(tmp) == NULL) {
- perror("tempfilename_generate: mktemp()");
+ if (mkstemp(tmp) == -1) {
+ perror("tempfilename_generate: mkstemp()");
exit(1);
}

Tripwire 2.3.1:

--- src/core/unix/unixfsservices.cpp.orig Sat Feb 24 11:02:12 2001
+++ src/core/unix/unixfsservices.cpp Tue Jul 10 21:40:37 2001
@@ -243,6 +243,7 @@
{
char* pchTempFileName;
char szTemplate[MAXPATHLEN];
+ int fd;

#ifdef _UNICODE
// convert template from wide character to multi-byte string
@@ -253,13 +254,14 @@
strcpy( szTemplate, strName.c_str() );
#endif

- // create temp filename
- pchTempFileName = mktemp( szTemplate );
+ // create temp filename and check to see if mkstemp failed
+ if ((fd = mkstemp( szTemplate )) == -1) {
+ throw eFSServicesGeneric( strName );
+ } else {
+ close(fd);
+ }
+ pchTempFileName = szTemplate;

- //check to see if mktemp failed
- if ( pchTempFileName == NULL || strlen(pchTempFileName) == 0) {
- throw eFSServicesGeneric( strName );
- }

// change name so that it has the XXXXXX part filled in
#ifdef _UNICODE

Tripwire commercial version 2.4.2 is not vulnerable to this issue.

Upgrade available:


Tripwire Tripwire 1.3.1

Tripwire Tripwire 2.2.1

Tripwire Tripwire 2.3 .0


 

Privacy Statement
Copyright 2010, SecurityFocus