Debian Bug report logs -
#311296
mutt: less random temp file creation allows DOS
Reported by: "Roberto C. Sanchez" <roberto@connexer.com>
Date: Mon, 30 May 2005 19:03:02 UTC
Severity: normal
Tags: patch, security, upstream
Found in versions 1.5.9-2, mutt/1.5.11+cvs20060330-1, mutt/1.5.19-1
Fixed in version mutt/1.5.20-7
Done: Antonio Radici <antonio@dyne.org>
Bug is archived. No further changes may be made.
Forwarded to http://bugs.mutt.org/3158
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, debian@ngolde.de, mutt-ng@lxtec.de, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to "Roberto C. Sanchez" <roberto@familiasanchez.net>:
New Bug report received and forwarded. Copy sent to debian@ngolde.de, mutt-ng@lxtec.de, Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mutt
Version: 1.5.9-2
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am only making this important becuase after discussing it on
#debian-devel, the consensus was the this was annoying but not RC. I am
CC'ing Nico and Elimar since this also applies to the unnofficial
mutt-ng pacakges. mutt creates temporary files in a very predictable
and unsecure way. There is no threat of overwriting an existing file or
creating a file somewhere where the user lacks appropriate permissions,
but there is a trivial way to DoS the users in mutt.
Steps to replicate:
Log into a shared machine and run 'ps aux|grep mutt'. Choose a user
running mutt. Note the pid of the mutt process you want to DOS. Note
the username and run 'id <user>' to get the uid. Then run 'for i in
`seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
watch the user not be able to 1) compose mail, 2) change mailboxes, 3)
reply to mail, 4) or view help until mutt is restarted. For added fun,
wrap in another for loop that iterates from 0 to 32767 and hit all the
PIDs and prevent the user from using mutt unil /tmp is cleaned or the
machine is rebooted.
- -Roberto
- --
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr
- -- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-miami-15.3
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1)
Versions of packages mutt depends on:
ii exim4 4.50-6 metapackage to ease exim MTA (v4)
ii exim4-daemon-light [mail-tr 4.50-6 lightweight exim MTA (v4) daemon
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libdb4.3 4.3.27-2 Berkeley v4.3 Database Libraries [
ii libgnutls11 1.0.16-9 GNU TLS library - runtime library
ii libidn11 0.5.13-1.0 GNU libidn library, implementation
ii libncursesw5 5.4-4 Shared libraries for terminal hand
ii libsasl2 2.1.19-1.5 Authentication abstraction library
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCm2JATfhoonTOp2oRApT5AKCQ9U6Wh9YlgZxz9BTDMkflunb2EwCg4g9I
/gLq4ITlC+XqBYjYffH636M=
=gvk5
-----END PGP SIGNATURE-----
Severity set to `minor'.
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Mark Suter <suter@zwitterion.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #12 received at 311296@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Roberto,
This problem is a symptom of the larger "shared /tmp" issue. A
solution is to use the TMPDIR environment variable as discussed
in the Secure Programming for Linux and Unix HOWTO.
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html#TEMPORARY-FILES
Mutt honours the TMPDIR environment variable, so something like
the following in your ~/.bashrc (or equivalent) will avoid this
issue completely (and cover a few alternate variables).
## Safe, local temporary directory
mkdir -p $HOME/tmp && for var in TMPDIR TMP TEMP TEMPDIR ; do export $var=$HOME/tmp; done
test -d $TMPDIR || echo Warning: TMPDIR is not set correctly.
Yours sincerely,
- -- Mark John Suter | I know that you believe you understand
suter@humbug.org.au | what you think I said, but I am not sure
gpg key id 2C71D63D | you realise that what you heard is not
mobile 0411 262 316 | what I meant. Robert J. McCloskey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Check Keyservers or http://zwitterion.org/keys/
iD8DBQFCm9SJRYso2ixx1j0RAiR7AJ9YSegKhqIQAr98AiqeCbIfaoxXmwCfRD6S
xMArJ5/aC7xflptghcLd40A=
=3m+X
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to "Roberto C. Sanchez" <roberto@familiasanchez.net>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #17 received at 311296@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, May 31, 2005 at 01:05:45PM +1000, Mark Suter wrote:
> Roberto,
>
> This problem is a symptom of the larger "shared /tmp" issue. A
> solution is to use the TMPDIR environment variable as discussed
> in the Secure Programming for Linux and Unix HOWTO.
>
> http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html#TEMPORARY-FILES
>
> Mutt honours the TMPDIR environment variable, so something like
> the following in your ~/.bashrc (or equivalent) will avoid this
> issue completely (and cover a few alternate variables).
>
> ## Safe, local temporary directory
> mkdir -p $HOME/tmp && for var in TMPDIR TMP TEMP TEMPDIR ; do export $var=$HOME/tmp; done
> test -d $TMPDIR || echo Warning: TMPDIR is not set correctly.
>
That is fine. However, given the existence of the tmpfile(3) function,
there is really no excuse for any program to employ a 1-up numbering of
temporary files. Sepcifically, in the same section of the Secure-
Programs-HOWTO you cite:
According to the 1997 ``Single Unix Specification'', the preferred
method for creating an arbitrary temporary file (using the C interface)
is tmpfile(3).
The paragraph after that goes on to talk about why mkstemp(3) is an even
better idea. So, there are options. Besides, given the choice between
the following two options:
1) One-time fix applied by upstream developer; by extenension, present
in all future releases.
2) Work around in ~/.bashrc (or equivalent) that must be applied to
every system accessed. (Think a year or two down the road when you get
an account on a new machine).
I would say that that option 1 has major advantages:
1) Requires one person to do one thing to fix.
2) Less error prone/open to peer review.
3) Is not dependent on a specific user action.
-Roberto
--
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Mark Suter <suter@zwitterion.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #22 received at 311296@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert,
I agree Mutt should be fixed to create its temporary files in
non-predictable fashion. That mutt honours TMPDIR provides a
work-around, not the solution for Mutt.
> Besides, given the choice between the following two options:
>
> 1) One-time fix applied by upstream developer; by extenension, present
> in all future releases.
For this package only...
> 2) Work around in ~/.bashrc (or equivalent) that must be applied to
> every system accessed. (Think a year or two down the road when you get
> an account on a new machine).
The flip-side of (2) is that the user avoids this class of problem for
many different packages, present and future. Setting TMPDIR is a good
solution for the user - all software honouring this variable will nwo
avoid all the issues of the shared /tmp.
> I would say that that option 1 has major advantages:
>
> 1) Requires one person to do one thing to fix.
> 2) Less error prone/open to peer review.
> 3) Is not dependent on a specific user action.
I like doing both - defence in depth, you know ;)
I largely agree with you; however, I felt that as TMPDIR is a solution
to the entire class of shared /tmp problems, it's worth mentioning.
Yours sincerely,
- -- Mark John Suter | I know that you believe you understand
suter@humbug.org.au | what you think I said, but I am not sure
gpg key id 2C71D63D | you realise that what you heard is not
mobile 0411 262 316 | what I meant. Robert J. McCloskey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Check Keyservers or http://zwitterion.org/keys/
iD8DBQFCm9/jRYso2ixx1j0RApPkAJ0fhNl0oI9pXn6AGceJY6+xceyhIQCfUapn
z+44G3LzGLrsp0DDAZ4oi7Q=
=UjHJ
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to "Roberto C. Sanchez" <roberto@familiasanchez.net>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #27 received at 311296@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, May 31, 2005 at 01:54:11PM +1000, Mark Suter wrote:
> Robert,
>
> I agree Mutt should be fixed to create its temporary files in
> non-predictable fashion. That mutt honours TMPDIR provides a
> work-around, not the solution for Mutt.
OK. I took what you initially said as you presenting TMPDIR as the
canonical solution. That was my fault.
>
> > Besides, given the choice between the following two options:
> >
> > 1) One-time fix applied by upstream developer; by extenension, present
> > in all future releases.
>
> For this package only...
>
Not sure what this means. If the fix is only applied to the Debian
package, then at least future releases of the Debian package. If it is
applied upstream, then future upstream releases will have it as well.
Either way, a larger group of users benefits.
> > 2) Work around in ~/.bashrc (or equivalent) that must be applied to
> > every system accessed. (Think a year or two down the road when you get
> > an account on a new machine).
>
> The flip-side of (2) is that the user avoids this class of problem for
> many different packages, present and future. Setting TMPDIR is a good
> solution for the user - all software honouring this variable will nwo
> avoid all the issues of the shared /tmp.
>
True. Of course, the user must not fall into thinking that setting
TMPDIR is a silver bullet. Of course, mutt honors the setting, but not
all programs do.
> > I would say that that option 1 has major advantages:
> >
> > 1) Requires one person to do one thing to fix.
> > 2) Less error prone/open to peer review.
> > 3) Is not dependent on a specific user action.
>
> I like doing both - defence in depth, you know ;)
>
True. It's all about layering. Defense, security, keeping warm in
winter and onions. There is a pattern there :-)
> I largely agree with you; however, I felt that as TMPDIR is a solution
> to the entire class of shared /tmp problems, it's worth mentioning.
>
If only all programs obeyed it. What would be really need would be if
we turned /tmp into a device node or something in proc. Then the system
could redirect based on UID. That is, you run foo as yourself and it
creates a temporary file under /tmp, and I also run foo and create a
temporary file under /tmp, but they are both in different places. Just
an idea.
-Roberto
--
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #32 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Roberto,
* Roberto C. Sanchez <roberto@familiasanchez.net> [2005-05-31 10:45]:
[...]
> I am only making this important becuase after discussing it on
> #debian-devel, the consensus was the this was annoying but not RC. I am
> CC'ing Nico and Elimar since this also applies to the unnofficial
> mutt-ng pacakges. mutt creates temporary files in a very predictable
> and unsecure way. There is no threat of overwriting an existing file or
> creating a file somewhere where the user lacks appropriate permissions,
> but there is a trivial way to DoS the users in mutt.
>
> Steps to replicate:
>
> Log into a shared machine and run 'ps aux|grep mutt'. Choose a user
> running mutt. Note the pid of the mutt process you want to DOS. Note
> the username and run 'id <user>' to get the uid. Then run 'for i in
> `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
> watch the user not be able to 1) compose mail, 2) change mailboxes, 3)
> reply to mail, 4) or view help until mutt is restarted. For added fun,
> wrap in another for loop that iterates from 0 to 32767 and hit all the
> PIDs and prevent the user from using mutt unil /tmp is cleaned or the
> machine is rebooted.
Thanks, its on our todo list. Patches are welcome!
Regards Nico
--
Nico Golde - 310777820@ICQ | GPG: 1024D/73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
VIM has two modes - the one in which it beeps
and the one in which it doesn't -- encrypted mail preferred
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #42 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Roberto,
* Roberto C. Sanchez <roberto@familiasanchez.net> [2005-05-31 10:45]:
> Package: mutt
> Version: 1.5.9-2
> Severity: important
>
> I am only making this important becuase after discussing it on
> #debian-devel, the consensus was the this was annoying but not RC. I am
> CC'ing Nico and Elimar since this also applies to the unnofficial
> mutt-ng pacakges. mutt creates temporary files in a very predictable
> and unsecure way. There is no threat of overwriting an existing file or
> creating a file somewhere where the user lacks appropriate permissions,
> but there is a trivial way to DoS the users in mutt.
>
> Steps to replicate:
>
> Log into a shared machine and run 'ps aux|grep mutt'. Choose a user
> running mutt. Note the pid of the mutt process you want to DOS. Note
> the username and run 'id <user>' to get the uid. Then run 'for i in
> `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
> watch the user not be able to 1) compose mail, 2) change mailboxes, 3)
> reply to mail, 4) or view help until mutt is restarted. For added fun,
> wrap in another for loop that iterates from 0 to 32767 and hit all the
> PIDs and prevent the user from using mutt unil /tmp is cleaned or the
> machine is rebooted.
I fixed this bug for mutt-ng.
I attached a 64 bit hex string to the temporary file name.
In my opinion the TMPDIR solution is not very good.
Please CC me.
Index: trunk/muttlib.c
===================================================================
--- trunk/muttlib.c (Revision 306)
+++ trunk/muttlib.c (Revision 308)
@@ -647,8 +647,10 @@
void _mutt_mktemp (char *s, const char *src, int line)
{
- snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d", NONULL (Tempdir),
- NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++);
+
+ snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d-%x%x", NONULL (Tempdir),
+ NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++,
+ (unsigned int) rand(), (unsigned int) rand());
Regards Nico Golde
--
Nico Golde - 310777820@ICQ | GPG: 1024D/73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
VIM has two modes - the one in which it beeps
and the one in which it doesn't -- encrypted mail preferred
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Vincent Lefevre <vincent@vinc17.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #47 received at 311296@bugs.debian.org (full text, mbox, reply):
> From: "Roberto C. Sanchez" <roberto@familiasanchez.net>
> [...] There is no threat of overwriting an existing file or creating
> a file somewhere where the user lacks appropriate permissions, but
> there is a trivial way to DoS the users in mutt.
The user can still change $tmpdir in his muttrc to avoid this problem
(and also avoid losing data if the machine is rebooted). So, it would
be even more trivial by filling up the disk, but this would not be a
bug in Mutt.
IMHO, this is just a minor problem.
--
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@muttng.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #57 received at 311296@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Roberto,
* Roberto C. Sanchez <roberto@familiasanchez.net> [2005-05-31 10:45]:
[...]
> Steps to replicate:
>
> Log into a shared machine and run 'ps aux|grep mutt'. Choose a user
> running mutt. Note the pid of the mutt process you want to DOS. Note
> the username and run 'id <user>' to get the uid. Then run 'for i in
> `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
> watch the user not be able to 1) compose mail, 2) change mailboxes, 3)
> reply to mail, 4) or view help until mutt is restarted. For added fun,
> wrap in another for loop that iterates from 0 to 32767 and hit all the
> PIDs and prevent the user from using mutt unil /tmp is cleaned or the
> machine is rebooted.
I have problems with reproducing this. I tried it with
mutt-ng but it seems that mutt-ng is simply overwriting this
files so mutt-ng is runiing well with it.
But anyway, the tmp file generation is not very good so I
will add an aditional more random string to the file name.
Regards Nico
--
Nico Golde - 310777820@ICQ | GPG: 1024D/73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
VIM has two modes - the one in which it beeps
and the one in which it doesn't -- encrypted mail preferred
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to 311296@bugs.debian.org, Adeodato Simó <asp16@alu.ua.es>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #62 received at 311296@bugs.debian.org (full text, mbox, reply):
Hello Nico, could you please avoid CC'ing submit@bugs.debian.org on
your mails. PTS subscribers get duplicated e-mails.
Thanks.
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
One way to make your old car run better is to look up the price of a new model.
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to "Roberto C. Sanchez" <roberto@familiasanchez.net>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #67 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, May 31, 2005 at 04:22:08PM +0200, Nico Golde wrote:
> Hello Roberto,
>
> * Roberto C. Sanchez <roberto@familiasanchez.net> [2005-05-31 10:45]:
> > Package: mutt
> > Version: 1.5.9-2
> > Severity: important
> >
> > I am only making this important becuase after discussing it on
> > #debian-devel, the consensus was the this was annoying but not RC. I am
> > CC'ing Nico and Elimar since this also applies to the unnofficial
> > mutt-ng pacakges. mutt creates temporary files in a very predictable
> > and unsecure way. There is no threat of overwriting an existing file or
> > creating a file somewhere where the user lacks appropriate permissions,
> > but there is a trivial way to DoS the users in mutt.
> >
> > Steps to replicate:
> >
> > Log into a shared machine and run 'ps aux|grep mutt'. Choose a user
> > running mutt. Note the pid of the mutt process you want to DOS. Note
> > the username and run 'id <user>' to get the uid. Then run 'for i in
> > `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
> > watch the user not be able to 1) compose mail, 2) change mailboxes, 3)
> > reply to mail, 4) or view help until mutt is restarted. For added fun,
> > wrap in another for loop that iterates from 0 to 32767 and hit all the
> > PIDs and prevent the user from using mutt unil /tmp is cleaned or the
> > machine is rebooted.
>
> I fixed this bug for mutt-ng.
> I attached a 64 bit hex string to the temporary file name.
> In my opinion the TMPDIR solution is not very good.
> Please CC me.
> Index: trunk/muttlib.c
> ===================================================================
> --- trunk/muttlib.c (Revision 306)
> +++ trunk/muttlib.c (Revision 308)
> @@ -647,8 +647,10 @@
>
> void _mutt_mktemp (char *s, const char *src, int line)
> {
> - snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d", NONULL (Tempdir),
> - NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++);
> +
> + snprintf (s, _POSIX_PATH_MAX, "%s/muttng-%s-%d-%d-%d-%x%x", NONULL (Tempdir),
> + NONULL (Hostname), (int) getuid (), (int) getpid (), Counter++,
> + (unsigned int) rand(), (unsigned int) rand());
> Regards Nico Golde
>
Thanks. Another possible solution is the use of the tmpfile(3) or
mkstemp(3) functions. But yours appears sound as well.
-Roberto
--
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to "Roberto C. Sanchez" <roberto@familiasanchez.net>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #77 received at 311296@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hallo Adeodato,
* Adeodato Simó <asp16@alu.ua.es> [2005-05-31 22:05]:
> Hello Nico, could you please avoid CC'ing submit@bugs.debian.org on
> your mails. PTS subscribers get duplicated e-mails.
oh sorry...
thanks
nico
--
Nico Golde - 310777820@ICQ | GPG: 1024D/73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
VIM has two modes - the one in which it beeps
and the one in which it doesn't -- encrypted mail preferred
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #82 received at 311296@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
it seems like mutt doesn't initialize the rand like mutt-ng
does so this would be the right:
--- mutt-1.5.8/muttlib.c 2005-02-12 20:30:16.000000000 +0100
+++ muttlib.c 2005-05-31 23:06:15.000000000 +0200
@@ -668,7 +668,10 @@
void _mutt_mktemp (char *s, const char *src, int line)
{
- snprintf (s, _POSIX_PATH_MAX, "%s/mutt-%s-%d-%d-%d", NONULL (Tempdir), NONULL(Hostname)
, (int) getuid(), (int) getpid (), Counter++);
+ long sek;
+ time(&sek);
+ srand(sek);
+ snprintf (s, _POSIX_PATH_MAX, "%s/mutt-%s-%d-%d-%d%x%x", NONULL (Tempdir), NONULL(Hostn
ame), (int) getuid(), (int) getpid (), Counter++, (unsigned int) rand(), (unsigned int) ra
nd());
dprint (1, (debugfile, "%s:%d: mutt_mktemp returns \"%s\".\n", src, line, s));
unlink (s);
}
Regards Nico
--
Nico Golde - 310777820@ICQ | GPG: 1024D/73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
VIM has two modes - the one in which it beeps
and the one in which it doesn't -- encrypted mail preferred
[Message part 2 (application/pgp-signature, inline)]
Tags added: patch
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(full text, mbox, link).
Message #89 received at 311296@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This bug has been assigned CVE id Use CAN-2005-2351, so please mention
it in the changelog when fixing it.
--
see shy jo
[signature.asc (application/pgp-signature, inline)]
Tags added: security
Request was from micah@riseup.net (micah)
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to "Pascal A. Dupuis" <Pascal.Dupuis@esat.kuleuven.be>:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>.
(full text, mbox, link).
Message #96 received at 311296@bugs.debian.org (full text, mbox, reply):
Package: mutt
Version: 1.5.11+cvs20060330-1
Followup-For: Bug #311296
Hello,
While trying to debug another problem with galeon, I found that the
bug is still present when using this kind of entry in the .mailcap:
text/html; galeon -x -w %s; needsterminal; \
test=ps ax|egrep -q "[0-9] *galeon";\
nametemplate= %s.html
In this case, the temporary file is still mutt.html, and not
<something-random>.html. Commenting the "nametemplate" option, the name is
correctly randomised. CAN-2005-2351 is still not entirelly solved...
Best regards
Pascal Dupuis
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.1
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Versions of packages mutt depends on:
ii libc6 2.3.6-4 GNU C Library: Shared libraries an
ii libdb4.4 4.4.20-4 Berkeley v4.4 Database Libraries [
ii libgnutls12 1.2.9-2 the GNU TLS library - runtime libr
ii libidn11 0.5.18-2 GNU libidn library, implementation
ii libncursesw5 5.5-1 Shared libraries for terminal hand
ii libsasl2 2.1.19-1.9+b1 Authentication abstraction library
ii postfix [mail-transport-ag 2.2.9-1+b1 A high-performance mail transport
Versions of packages mutt recommends:
ii locales 2.3.6-4 GNU C Library: National Language (
ii mime-support 3.36-1 MIME files 'mime.types' & 'mailcap
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Michelle Konzack <linux4michelle@freenet.de>:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>.
(full text, mbox, link).
Message #101 received at 311296@bugs.debian.org (full text, mbox, reply):
Am 2005-05-31 13:54:11, schrieb Mark Suter:
> The flip-side of (2) is that the user avoids this class of problem for
> many different packages, present and future. Setting TMPDIR is a good
> solution for the user - all software honouring this variable will nwo
^^^^^^^^^^^^
ssh-agent does not :-(
I set TMPDIR, TEMPDIR, TMP and TEMP from /etc/profile to "/tmp/$USER"
Greetings
Michelle Konzack
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSM LinuxMichi
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Information forwarded to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>:
Bug#311296; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Michelle Konzack <linux4michelle@freenet.de>:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>.
(full text, mbox, link).
Message #106 received at 311296@bugs.debian.org (full text, mbox, reply):
Am 2005-05-31 13:54:11, schrieb Mark Suter:
> The flip-side of (2) is that the user avoids this class of problem for
> many different packages, present and future. Setting TMPDIR is a good
> solution for the user - all software honouring this variable will nwo
^^^^^^^^^^^^
ssh-agent does not :-(
I set TMPDIR, TEMPDIR, TMP and TEMP from /etc/profile to "/tmp/$USER"
Greetings
Michelle Konzack
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSM LinuxMichi
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Changed Bug submitter from "Roberto C. Sanchez" <roberto@familiasanchez.net> to "Roberto C. Sanchez" <roberto@connexer.com>.
Request was from "Roberto C. Sanchez" <roberto@connexer.com>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title to mutt: less random temp file creation allows DOS from mutt: Temporary file creation is unsafe.
Request was from Justin Pryzby <justinpryzby@users.sourceforge.net>
to control@bugs.debian.org.
(Sun, 06 May 2007 15:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#311296; Package mutt.
(Sun, 25 Jan 2009 21:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to antonio@dyne.org:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>.
(Sun, 25 Jan 2009 21:48:05 GMT) (full text, mbox, link).
Message #115 received at 311296@bugs.debian.org (full text, mbox, reply):
tag 311296 +upstream
forwarded 311296 http://bugs.mutt.org/3158
severity 311296 normal
thanks
Surprisingly the problem is still there.
I've forwarded the problem upstream.
Cheers
Antonio
Tags added: upstream
Request was from Antonio Radici <antonio@dyne.org>
to control@bugs.debian.org.
(Sun, 25 Jan 2009 21:48:07 GMT) (full text, mbox, link).
Noted your statement that Bug has been forwarded to http://bugs.mutt.org/3158.
Request was from Antonio Radici <antonio@dyne.org>
to control@bugs.debian.org.
(Sun, 25 Jan 2009 21:48:07 GMT) (full text, mbox, link).
Severity set to `normal' from `minor'
Request was from Antonio Radici <antonio@dyne.org>
to control@bugs.debian.org.
(Sun, 25 Jan 2009 21:48:08 GMT) (full text, mbox, link).
Bug marked as found in version 1.5.19-1.
Request was from Antonio Radici <antonio@dyne.org>
to control@bugs.debian.org.
(Sun, 25 Jan 2009 21:48:12 GMT) (full text, mbox, link).
Tags added: pending
Request was from Antonio Radici <antonio@dyne.org>
to control@bugs.debian.org.
(Fri, 19 Jun 2009 22:03:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#311296; Package mutt.
(Sun, 07 Feb 2010 19:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Antonio Radici <antonio@dyne.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>.
(Sun, 07 Feb 2010 19:27:03 GMT) (full text, mbox, link).
Message #130 received at 311296@bugs.debian.org (full text, mbox, reply):
Hi,
this is fixed in our internal git repo with the patch written by Nico Golde,
I've also forwarded the patch upstream.
The next Debian version of mutt will include this patch
Cheers
Antonio
Reply sent
to Antonio Radici <antonio@dyne.org>:
You have taken responsibility.
(Mon, 08 Feb 2010 01:21:05 GMT) (full text, mbox, link).
Notification sent
to "Roberto C. Sanchez" <roberto@connexer.com>:
Bug acknowledged by developer.
(Mon, 08 Feb 2010 01:21:05 GMT) (full text, mbox, link).
Message #135 received at 311296-close@bugs.debian.org (full text, mbox, reply):
Source: mutt
Source-Version: 1.5.20-7
We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive:
mutt-dbg_1.5.20-7_i386.deb
to main/m/mutt/mutt-dbg_1.5.20-7_i386.deb
mutt-patched_1.5.20-7_i386.deb
to main/m/mutt/mutt-patched_1.5.20-7_i386.deb
mutt_1.5.20-7.diff.gz
to main/m/mutt/mutt_1.5.20-7.diff.gz
mutt_1.5.20-7.dsc
to main/m/mutt/mutt_1.5.20-7.dsc
mutt_1.5.20-7_i386.deb
to main/m/mutt/mutt_1.5.20-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 311296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Radici <antonio@dyne.org> (supplier of updated mutt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 08 Feb 2010 00:27:55 +0000
Source: mutt
Binary: mutt mutt-patched mutt-dbg
Architecture: source i386
Version: 1.5.20-7
Distribution: unstable
Urgency: low
Maintainer: Christoph Berg <myon@debian.org>
Changed-By: Antonio Radici <antonio@dyne.org>
Description:
mutt - text-based mailreader supporting MIME, GPG, PGP and threading
mutt-dbg - debugging symbols for mutt
mutt-patched - the Mutt Mail User Agent with extra patches
Closes: 228671 311296 383769 528233 537746 539276 545316 547739 547980 548494 549006 553238 553321 557395 568295
Changes:
mutt (1.5.20-7) unstable; urgency=low
.
* debian/NEWS: backported a note about the new behavior with attachments
on the command line (Closes: 539276)
* debian/patches:
+ upstream/548494-swedish-intl.patch: fixes to Swedish translation
(Closes: 548494)
+ upstream/553238-german-intl.patch: small fix to the German translation
(Closes: 553238)
+ upstream/553321-ansi-escape-segfault.patch: prevent mutt from segfaulting
with large ASCII escape sequences (Closes: 553321)
+ upstream/557395-muttrc-crypto.patch: small fix to the muttrc man
(Closes: 557395)
+ upstream/545316-header-color.patch: do not store the color in header cache
(Closes: 545316)
+ upstream/568295-references.patch: preserve the References header if the
In-Reply-To is not initially present (Closes: 568295)
+ upstream/547980-smime_keys-chaining.patch: support certificate chaining in
smime_keys (Closes: 547980, 549006)
+ upstream/528233-readonly-open.patch: open attachments in read-only
(Closes: 528233)
+ upstream/228671-pipe-mime.patch: don't mess up the terminal while piping
attachments (Closes: 228671)
+ upstream/383769-score-match.patch: match full name with ~f, same as
mutt-ng (Closes: 383769)
+ upstream/547739-manual-typos.patch: typos in manual.txt (Closes: 547739)
+ upstream/311296-rand-mktemp.patch: more random file creation in /tmp, see
CVE CAN-2005-2351 (Closes: 311296)
+ debian-specific/Muttrc: set time_inc to be 250ms (Closes: 537746)
* debian/control:
+ bumping Standards-Version to 3.8.4, nothing to be done
+ adding ${misc:Depends} to make lintian happy
* debian/rules: adding a commented rule to enable tokyocabinet if we want
Checksums-Sha1:
4fd90e2b0dd199977631b37f9396710a9f84ad34 1398 mutt_1.5.20-7.dsc
905d9c2c2172a20ef764f1b7d83b2e2dfc45fe1c 162089 mutt_1.5.20-7.diff.gz
ba7865ab37da229906a15a057967f316e4c22cf6 2031574 mutt_1.5.20-7_i386.deb
a69a987f4ba4d770ac09232e3d38e20dbb64ef3e 388024 mutt-patched_1.5.20-7_i386.deb
25073b1a89f14c34a26c75f9a8383ad90f71319a 1369022 mutt-dbg_1.5.20-7_i386.deb
Checksums-Sha256:
73e6e3403bb937264c178cb36a6f97178d33ab9c889a0797288cce920ea0b6d5 1398 mutt_1.5.20-7.dsc
dd5fe2bb449835eefa342eb0e91acfd66bbcb9f9783a8e3cf5075fcd8ec34898 162089 mutt_1.5.20-7.diff.gz
6891e911447b480629714e174d697e733454574701a134308d3e09ae3508242d 2031574 mutt_1.5.20-7_i386.deb
f05f54d8665cf003e12e3f8fe80d7fd297291fc016c62b8a134b74b6e29301dd 388024 mutt-patched_1.5.20-7_i386.deb
132791480fb1ed9486f3ac13402dfda421a6ef16dfdbaf90a166442db9342d41 1369022 mutt-dbg_1.5.20-7_i386.deb
Files:
a8daca02247216d0dbcfefb4f32b0ebf 1398 mail standard mutt_1.5.20-7.dsc
e56915d38406a91fd72c607340fa5963 162089 mail standard mutt_1.5.20-7.diff.gz
4061b1e43be3805b9d18333247d808ec 2031574 mail standard mutt_1.5.20-7_i386.deb
3024edeb3a2db1abc5060b59e7eb9166 388024 mail extra mutt-patched_1.5.20-7_i386.deb
780c8559d51815bd663df60f8b7dcc9b 1369022 debug extra mutt-dbg_1.5.20-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktvYeYACgkQ6Tq8aae+WrDtXgCgvIHXQrqjrW/GtXOnbkM2C5c4
CcwAnRlZ1foUZgDu2Y9fqF6QhnZrgA2H
=THas
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 13 Jun 2010 07:38:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 03:10:04 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.