thirdparty/util-linux
2
0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

chsh, chfn, vipw: fix filenames collision

Browse source 
The utils when compiled WITHOUT libuser then mkostemp()ing
"/etc/%s.XXXXXX" where the filename prefix is argv[0] basename.

An attacker could repeatedly execute the util with modified argv[0]
and after many many attempts mkostemp() may generate suffix which
makes sense. The result maybe temporary file with name like rc.status
ld.so.preload or krb5.keytab, etc.

Note that distros usually use libuser based ch{sh,fn} or stuff from
shadow-utils.

It's probably very minor security bug.

Addresses: CVE-2015-5224
Signed-off-by: Karel Zak <kzak@redhat.com>
This commit is contained in:
Karel Zak 2015-08-24 10:05:55 +02:00
parent 3db75b1a8e
commit bde91c85bd
7 changed files with 20 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

6
include/fileutils.h
View file

@ -7,14 +7,14 @@
#include "c.h"
extern int xmkstemp(char **tmpname, char *dir);
extern int xmkstemp(char **tmpname, const char *dir, const char *prefix);
static inline FILE *xfmkstemp(char **tmpname, char *dir)
static inline FILE *xfmkstemp(char **tmpname, const char *dir, const char *prefix)
{
int fd;
FILE *ret;
fd = xmkstemp(tmpname, dir);
fd = xmkstemp(tmpname, dir, prefix);
if (fd == -1)
return NULL;