RHL7 textutils, as well as 2.0.11 from Rawhide, create temporary filenames in a predictable fashion. See ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:13.sort.asc for FreeBSD advisory and ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch for a patch. The patch isn't 100% applicable but the symptoms are similar. A part of the affected code: --- if (long_file_names) sprintf (name, "%s%ssort%lu.%.5lu", temp_dir, slash, pid, seq); else { /* Make sure the file name is safe for an 8.3 filesystem. */ sprintf (name, "%s%ss%.5d%.2d.%.3d", temp_dir, slash, (int) (pid % 100000), (int) (seq / 1000 % 100), (int) (seq % 1000)); } --- [no mkstemp is used]
The FreeBSD patch is not just not applicable, it's nonsense. it uses mkstemp() to get the file name, then closes the fd and makes use of the name later. An attacker can create a new symlink in the time between the two. I'd say their patch actually adds to the problem - an attacker just needs to scan for temp files generated by sort, store the name, create a symlink with the same name as soon as the file disappears for the first time - no need to even guess the name. Working on a proper fix...
Created attachment 8440 [details] real fix
Updated packages built and waiting for QA approval.
On a second thought, the FreeBSD patch doesn't delete the file, so an attacker can't create a symlink in its place. I still prefer our variant though.
This was fixed a while ago