Debian Bug report logs - #56465
/tmp race and bizarre behavior of captoinfo

version graph

Package: ncurses-bin; Maintainer for ncurses-bin is Craig Small <csmall@debian.org>; Source for ncurses-bin is src:ncurses.

Reported by: Colin Phipps <cph@cph.demon.co.uk>

Date: Fri, 28 Jan 2000 08:03:00 UTC

Severity: normal

Found in version 5.0-5

Done: Colin Phipps <cph@cph.demon.co.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joel Klecker <ncurses-maint@debian.org>:
Bug#56465; Package ncurses-bin. Full text and rfc822 format available.

Acknowledgement sent to Colin Phipps <crp22@cam.ac.uk>:
New Bug report received and forwarded. Copy sent to Joel Klecker <ncurses-maint@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Colin Phipps <crp22@cam.ac.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /tmp race and bizarre behavior of captoinfo
Date: Fri, 28 Jan 2000 07:48:50 +0000
Package: ncurses-bin
Version: 5.0-5
Severity: important

I believe there is a bug in progs/tic.c, the relevant bit of code being in
main():

                if (infodump == TRUE) {
                        /* captoinfo's no-argument case */
                        source_file = "/etc/termcap";
                        if ((termcap = getenv("TERMCAP")) != 0
                         && (namelst = make_namelist(getenv("TERM"))) != 0) {
                                if (access(termcap, F_OK) == 0) {
                                        /* file exists */
                                        source_file = termcap;
                                } else
                                if ((source_file = tmpnam(my_tmpname)) != 0
                                 && (tmp_fp = fopen(source_file, "w")) != 0) {
                                        fprintf(tmp_fp, "%s\n", termcap);
                                        fclose(tmp_fp);
                                        tmp_fp = fopen(source_file, "r");
                                        to_remove = source_file;
                                } else {
                                        failed("tmpnam");
                                }
                        }
                } else {

If called as captoinfo, it selects /etc/termcap to read, unless TERMCAP is
set, in which case it reads from what that points to instead. 

But... for some reason it tests to see if the file exists in the second case
(unnecessarily, because this is tested further down), and if it doesn't
exist it opens a temp file, writes $TERMCAP to it, then uses that as the
input file. So:

crp22% export TERMCAP=/tmp/not-here
crp22% captoinfo
"/tmp/file2GyCfe", line 1, col 1: Illegal character (expected alphanumeric
or @%&*!#) - '/' = 0x2f

a meaningless error. I have no idea what it is intending to do, and I know
nothing about termcap databases, but the behavior seems crazy to me. 

This is rated as an important bug because, in addition, the temp file is
opened using an insecure tmpnam() fopen() sequence (standard filename race,
as mentioned in the libc docs for tmpnam). But I won't give a patch since I
can't see what the code is trying to do; I think the whole section of code
relating to the temp file should be removed.

A snippet of strace to confirm the poor temp file handling:

getpid()                                = 11856
stat("/tmp/file2GyCfe", 0xbfffea3c)     = -1 ENOENT (No such file or directory)
open("/tmp/file2GyCfe", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000
write(4, "/tmp/not-here\n", 14)         = 14
close(4)                                = 0

ncurses4 appears to not have the bug.

-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux crp22 2.2.15pre3 #1 Thu Jan 20 17:25:32 GMT 2000 i686

Versions of packages ncurses-bin depends on:
ii  libc6                         2.1.2-12   GNU C Library: Shared libraries an
ii  libncurses5                   5.0-5      Shared libraries for terminal hand



Severity set to `normal'. Request was from Colin Phipps <crp22@cam.ac.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Bug closed, send any further explanations to Colin Phipps <crp22@cam.ac.uk> Request was from Colin Phipps <cph@cph.demon.co.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator set to Colin Phipps <cph@cph.demon.co.uk>. Request was from Colin Phipps <cph@cph.demon.co.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Jacobowitz <ncurses-maint@debian.org>:
Bug#56465; Package ncurses-bin. Full text and rfc822 format available.

Acknowledgement sent to Daniel Jacobowitz <dan@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Jacobowitz <ncurses-maint@debian.org>. Full text and rfc822 format available.

Message #16 received at 56465@bugs.debian.org (full text, mbox):

From: Daniel Jacobowitz <dan@debian.org>
To: 56465@bugs.debian.org
Subject: [ncurses captoinfo and /tmp]
Date: Fri, 16 Mar 2001 17:49:23 -0500
The tempfile is no longer opened insecurely, but the strange errors still
occurs.  I'm not convinced that there's really anything wrong with it, but
I'll think about the proper behavior here later.

-- 
Daniel Jacobowitz                           Debian GNU/Linux Developer
Monta Vista Software                              Debian Security Team
                         "I am croutons!"



Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Jacobowitz <ncurses-maint@debian.org>:
Bug#56465; Package ncurses-bin. Full text and rfc822 format available.

Acknowledgement sent to Colin Phipps <cph@cph.demon.co.uk>:
Extra info received and forwarded to list. Copy sent to Daniel Jacobowitz <ncurses-maint@debian.org>. Full text and rfc822 format available.

Message #21 received at 56465@bugs.debian.org (full text, mbox):

From: Colin Phipps <cph@cph.demon.co.uk>
To: 56465@bugs.debian.org, 56465-done@bugs.debian.org
Subject: Re: [ncurses captoinfo and /tmp]
Date: Sat, 23 Jun 2001 14:32:11 +0100
Re-reading the man page I can see this is the intended behaviour, altho it
wasn't very clear I guess since I missed it first time around. The race is goen
so the bug can go too.

-- 
Colin Phipps <cph@cph.demon.co.uk>   http://www.cph.demon.co.uk/



Reply sent to Colin Phipps <cph@cph.demon.co.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Colin Phipps <cph@cph.demon.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:53:12 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.