Date: Wed, 11 Nov 1998 03:28:03 +0100
From: Balazs Nagy <[email protected]>
To: [email protected]Subject: Xinetd /tmp race?
Hiyas,
If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
this method isn't checked against /tmp, and it happily overwrites anything
in the place of that file. The package has been released in 1997, IMHO this
is too old to have a bug of this kind hidden.
BTW here's the patch:
diff -ruN xinetd-2.2.1.orig/xinetd/internals.c
xinetd-2.2.1/xinetd/internals.c
--- xinetd-2.2.1.orig/xinetd/internals.c Sun Nov 8 13:28:00 1998
+++ xinetd-2.2.1/xinetd/internals.c Sun Nov 8 13:27:33 1998
@@ -55,7 +55,14 @@
register int fd ;
register unsigned u ;
char *func = "dump_internal_state" ;
+ struct stat sb;
+ if (!(stat(dump_file,
&sb)==-1&&errno==ENOENT)&&(!S_ISREG(sb.st_mode)||sb.st_nlink>1))
+ {
+ msg( LOG_ERR, func, "failed to open %s: maybe a vulnerable
link", dump_file ) ;
+ return ;
+ }
+
dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND,
DUMP_FILE_MODE ) ;
if ( dump_fd == -1 )
{
--
Linux Supporting Center -- Red Hat Qmail packages -- http://lsc.kva.hu
PGP 0x1DE3631D / A8 B4 92 EE 1F 55 27 C8 86 64 9C 42 41 A4 BD B8
