Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 79682

Summary: xpdf - unsafe temporary files
Product: [Retired] Red Hat Raw Hide Reporter: Michal Jaegermann <michal>
Component: xpdfAssignee: Ngo Than <than>
Status: CLOSED RAWHIDE QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-03-31 15:15:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michal Jaegermann 2002-12-15 00:39:39 UTC
Description of problem:

During compilation of xpdf gcc comes twice with warnings:

gfile.o(.text+0x4d9): the use of `tmpnam' is dangerous, better use `mkstemp'

The problem is really that code from goo/gfile.cc

  //---------- Unix ----------
  char *s;
  int fd;

  if (ext) {
#if HAVE_MKSTEMPS
    /* .... */
#else
    if (!(s = tmpnam(NULL))) {
      return gFalse;
    }
    *name = new GString(s);
    (*name)->append(ext);
    fd = open((*name)->getCString(), O_WRONLY | O_CREAT | O_EXCL, 0600);
#endif
  } else {
.....

AFAIK this branch is not even really used in the current version of xpdf
but the problem is a need for 'ext' which is not supported by 'mkstemp()'.
True, O_EXCL flag is used to 'open()' but this will not help really if
a directory where this is happening will be mounted, say, via NFS.
Likely a remote possibility of an attack but it exists.

A simple way to close the bug for now would be to comment out the whole
branch.  In general, in an absence of mkstemps(),  mkdtemp() likely should
be used to create a temporary subdirectory where files with desired
extenstions can be safely opened and the whole directory should be removed
on exit.

Version-Release number of selected component (if applicable):
xpdf-2.01-2 but the same code is actually in earlier versions as well.

Comment 1 Ngo Than 2003-03-31 15:15:10 UTC
it's fixed in 2.02-2 or newer.