|
|
Tripwire Insecure Temporary File Symbolic Link Vulnerability
Solution: The following patches were posted by Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>. Tripwire 1.3.1: --- src/config.parse.c.orig Tue Jun 13 23:24:14 2000 +++ src/config.parse.c Tue Jun 13 23:30:35 2000 @@ -55,7 +55,6 @@ #endif /* prototypes */ -char *mktemp(); static void configfile_descend(); #ifndef L_tmpnam @@ -105,8 +104,8 @@ }; (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); - if ((char *) mktemp(tmpfilename) == NULL) { - perror("configfile_read: mktemp()"); + if (mkstemp(tmpfilename) == -1) { + perror("configfile_read: mkstemp()"); exit(1); } --- src/dbase.build.c.orig Tue May 4 17:31:00 1999 +++ src/dbase.build.c Tue Jun 13 23:40:06 2000 @@ -60,7 +60,6 @@ int files_scanned_num = 0; /* prototypes */ -char *mktemp(); /* new database checking routines */ static void database_record_write(); @@ -135,8 +134,8 @@ die_with_err("malloc() failed in database_build", (char *) NULL); (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); - if ((char *) mktemp(tmpfilename) == NULL) - die_with_err("database_build: mktemp()", (char *) NULL); + if (mkstemp(tmpfilename) == -1) + die_with_err("database_build: mkstemp()", (char *) NULL); (void) strcpy(tempdatabase_file, tmpfilename); (void) strcpy(database, tempdatabase_file); @@ -814,8 +813,8 @@ /* build temporary file name */ (void) strcpy(backup_name, TEMPFILE_TEMPLATE); - if ((char *) mktemp(backup_name) == NULL) { - die_with_err("copy_database_to_backup: mktemp() failed!", NULL); + if (mkstemp(backup_name) == -1) { + die_with_err("copy_database_to_backup: mkstemp() failed!", NULL); } strcpy (database_backupfile, backup_name); --- src/siggen.c.orig Tue Jun 13 23:42:53 2000 +++ src/siggen.c Tue Jun 13 23:43:27 2000 @@ -52,7 +52,6 @@ extern int optind; int debuglevel = 0; -char *mktemp(); int (*pf_signatures [NUM_SIGS]) () = { SIG0FUNC, @@ -172,8 +171,8 @@ }; (void) strcpy(tmpfilename, "/tmp/twzXXXXXX"); - if ((char *) mktemp(tmpfilename) == NULL) { - perror("siggen: mktemp()"); + if (mkstemp(tmpfilename) == -1) { + perror("siggen: mkstemp()"); exit(1); } --- src/utils.c.orig Tue Jun 13 23:43:01 2000 +++ src/utils.c Tue Jun 13 23:43:50 2000 @@ -856,8 +856,8 @@ int fd; (void) strcpy(tmp, TEMPFILE_TEMPLATE); - if ((char *) mktemp(tmp) == NULL) { - perror("tempfilename_generate: mktemp()"); + if (mkstemp(tmp) == -1) { + perror("tempfilename_generate: mkstemp()"); exit(1); } Tripwire 2.3.1: --- src/core/unix/unixfsservices.cpp.orig Sat Feb 24 11:02:12 2001 +++ src/core/unix/unixfsservices.cpp Tue Jul 10 21:40:37 2001 @@ -243,6 +243,7 @@ { char* pchTempFileName; char szTemplate[MAXPATHLEN]; + int fd; #ifdef _UNICODE // convert template from wide character to multi-byte string @@ -253,13 +254,14 @@ strcpy( szTemplate, strName.c_str() ); #endif - // create temp filename - pchTempFileName = mktemp( szTemplate ); + // create temp filename and check to see if mkstemp failed + if ((fd = mkstemp( szTemplate )) == -1) { + throw eFSServicesGeneric( strName ); + } else { + close(fd); + } + pchTempFileName = szTemplate; - //check to see if mktemp failed - if ( pchTempFileName == NULL || strlen(pchTempFileName) == 0) { - throw eFSServicesGeneric( strName ); - } // change name so that it has the XXXXXX part filled in #ifdef _UNICODE Tripwire commercial version 2.4.2 is not vulnerable to this issue. Upgrade available: Tripwire Tripwire 1.3.1
Tripwire Tripwire 2.2.1
Tripwire Tripwire 2.3 .0
|
|
Privacy Statement |