Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 79682 - xpdf - unsafe temporary files
Summary: xpdf - unsafe temporary files
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: xpdf
Version: 1.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-15 00:39 UTC by Michal Jaegermann
Modified: 2007-04-18 16:49 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-03-31 15:15:10 UTC


Attachments (Terms of Use)

Description Michal Jaegermann 2002-12-15 00:39:39 UTC
Description of problem:

During compilation of xpdf gcc comes twice with warnings:

gfile.o(.text+0x4d9): the use of `tmpnam' is dangerous, better use `mkstemp'

The problem is really that code from goo/gfile.cc

  //---------- Unix ----------
  char *s;
  int fd;

  if (ext) {
#if HAVE_MKSTEMPS
    /* .... */
#else
    if (!(s = tmpnam(NULL))) {
      return gFalse;
    }
    *name = new GString(s);
    (*name)->append(ext);
    fd = open((*name)->getCString(), O_WRONLY | O_CREAT | O_EXCL, 0600);
#endif
  } else {
.....

AFAIK this branch is not even really used in the current version of xpdf
but the problem is a need for 'ext' which is not supported by 'mkstemp()'.
True, O_EXCL flag is used to 'open()' but this will not help really if
a directory where this is happening will be mounted, say, via NFS.
Likely a remote possibility of an attack but it exists.

A simple way to close the bug for now would be to comment out the whole
branch.  In general, in an absence of mkstemps(),  mkdtemp() likely should
be used to create a temporary subdirectory where files with desired
extenstions can be safely opened and the whole directory should be removed
on exit.

Version-Release number of selected component (if applicable):
xpdf-2.01-2 but the same code is actually in earlier versions as well.

Comment 1 Ngo Than 2003-03-31 15:15:10 UTC
it's fixed in 2.02-2 or newer.


Note You need to log in before you can comment on or make changes to this bug.