Bug 18943 - arpwatch has a tmp race
arpwatch has a tmp race
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: tcpdump (Show other bugs)
6.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-12 06:32 EDT by Jarno Huuskonen
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-12 06:32:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jarno Huuskonen 2000-10-12 06:32:52 EDT
Arpwatch has a tmp race in report.c (around line 290). It uses
mktemp and then fopen that filename.

Here's a patch for arpwatch-2.1a6 (needs more thorough testing !!!!):

diff -u arpwatch-2.1a6/report.c arpwatch-2.1a6-new/report.c
--- arpwatch-2.1a6/report.c     Mon Jan 18 03:46:42 1999
+++ arpwatch-2.1a6-new/report.c Wed Oct 11 21:32:51 2000
@@ -238,6 +238,7 @@
        register char *cp, *hn;
        register int pid;
        register FILE *f;
+       int tmpfd;
        char tempfile[64], cpu[64], os[64];
        char *fmt = "%20s: %s\n";
        char *watcher = WATCHER;
@@ -287,9 +288,12 @@
                /* Child */
                closelog();
                (void)strcpy(tempfile, "/tmp/arpwatch.XXXXXX");
-               (void)mktemp(tempfile);
-               if ((f = fopen(tempfile, "w+")) == NULL) {
-                       syslog(LOG_ERR, "child open(%s): %m", tempfile);
+               if ( (tmpfd = mkstemp(tempfile)) == -1 ) {
+                       syslog(LOG_ERR, "couldn't create tmp file");
+                       exit(1);
+               }
+               if ((f = fdopen(tmpfd, "w+")) == NULL) {
+                       syslog(LOG_ERR, "child fdopen(%s): %m", tempfile);
                        exit(1);
                }
                if (unlink(tempfile) < 0)

-Jarno
Comment 1 Jeff Johnson 2000-10-12 10:02:47 EDT
Fixed (patch applied) in tcpdump-3.4-30. Thanks for noticing.
Comment 2 Daniel Roesen 2000-10-13 11:58:08 EDT
Wouldn't a security problem justify an errata update?

Note You need to log in before you can comment on or make changes to this bug.