Bug 503723 - fopen mode 'x' ignored in some cases
fopen mode 'x' ignored in some cases
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Andreas Schwab
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: 509853 509855
  Show dependency treegraph
Reported: 2009-06-02 08:00 EDT by Sami Farin
Modified: 2017-05-02 11:10 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 509853 509855 (view as bug list)
Last Closed: 2009-08-10 10:15:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
fopen.c - test for fopen modes (425 bytes, text/plain)
2009-06-02 08:00 EDT, Sami Farin
no flags Details

  None (edit)
Description Sami Farin 2009-06-02 08:00:51 EDT
Created attachment 346240 [details]
fopen.c - test for fopen modes

Description of problem:
O_EXCL is not used if mode is "wbex", but O_EXCL is used if mode is "wbxe".

This bug can cause security vulnerabilities in software relying on this glibc extension.

Version-Release number of selected component (if applicable):
2.10.1-2, 2.9.90-3

How reproducible:

Steps to Reproduce:
1. compile attached C source file
2. run with options ababab wbex, and ababab wbxe
Actual results:
'x' may be ignored

Expected results:
'x' not ignored

Additional info:
$ strace -eopen ./a.out ababab wbxe 2>&1 | grep ababab ; rm -f ababab
open("ababab", O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_CLOEXEC, 0666) = 3
$ strace -eopen ./a.out ababab wbex 2>&1 | grep ababab ; rm -f ababab
open("ababab", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 3
Comment 1 Tomas Hoger 2009-06-02 11:28:21 EDT
Problem seems to be in _IO_new_file_fopen() in libio/fileops.c.  Unlike other recognized mode characters, 'e' and 'c' are treated as last character of the mode string:


Not sure if that is intentional, rather looks like a bug caused by odd use of continue vs. break due to the way switch is nested inside for loop.

Are you aware of any application relying on this already?  Quick google code search did not find anything, though it's obviously easy to miss cases where mode is passed via some other variable.
Comment 2 Ulrich Drepper 2009-06-09 10:02:34 EDT
I've checked in a patch upstream.
Comment 3 Tomas Hoger 2009-06-09 10:07:08 EDT
Thank you!  Commit diff link for posterity:
Comment 4 Noura El hawary 2009-06-09 17:48:30 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
Comment 5 Andreas Schwab 2009-08-10 10:15:17 EDT
Fixed in 2.10.1-4.

Note You need to log in before you can comment on or make changes to this bug.