Bug 18943 - arpwatch has a tmp race
Summary: arpwatch has a tmp race
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump   
(Show other bugs)
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-10-12 10:32 UTC by Jarno Huuskonen
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-12 10:32:58 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jarno Huuskonen 2000-10-12 10:32:52 UTC
Arpwatch has a tmp race in report.c (around line 290). It uses
mktemp and then fopen that filename.

Here's a patch for arpwatch-2.1a6 (needs more thorough testing !!!!):

diff -u arpwatch-2.1a6/report.c arpwatch-2.1a6-new/report.c
--- arpwatch-2.1a6/report.c     Mon Jan 18 03:46:42 1999
+++ arpwatch-2.1a6-new/report.c Wed Oct 11 21:32:51 2000
@@ -238,6 +238,7 @@
        register char *cp, *hn;
        register int pid;
        register FILE *f;
+       int tmpfd;
        char tempfile[64], cpu[64], os[64];
        char *fmt = "%20s: %s\n";
        char *watcher = WATCHER;
@@ -287,9 +288,12 @@
                /* Child */
                closelog();
                (void)strcpy(tempfile, "/tmp/arpwatch.XXXXXX");
-               (void)mktemp(tempfile);
-               if ((f = fopen(tempfile, "w+")) == NULL) {
-                       syslog(LOG_ERR, "child open(%s): %m", tempfile);
+               if ( (tmpfd = mkstemp(tempfile)) == -1 ) {
+                       syslog(LOG_ERR, "couldn't create tmp file");
+                       exit(1);
+               }
+               if ((f = fdopen(tmpfd, "w+")) == NULL) {
+                       syslog(LOG_ERR, "child fdopen(%s): %m", tempfile);
                        exit(1);
                }
                if (unlink(tempfile) < 0)

-Jarno

Comment 1 Jeff Johnson 2000-10-12 14:02:47 UTC
Fixed (patch applied) in tcpdump-3.4-30. Thanks for noticing.

Comment 2 Daniel Roesen 2000-10-13 15:58:08 UTC
Wouldn't a security problem justify an errata update?


Note You need to log in before you can comment on or make changes to this bug.