[Fwd: Etch's and Lenny's mktemp seriously broken]

Fri, 15 Aug 2008 02:10:19 -0700 


Hi,

just submitted this bug. Am I missing something and is
this somehow "on purpose"?


Cheers,
        Dirk


-------- Original-Nachricht --------
Betreff: Etch's and Lenny's mktemp seriously broken
Datum: Fri, 15 Aug 2008 10:46:09 +0200
Von: Dirk Wetter <[EMAIL PROTECTED]>
An: [EMAIL PROTECTED]


Package: mktemp
Version: 1.5-2
Severity: grave
Tags: security

There's a problem with the randomness of mktemp. The
string includes a number which includes somewhat
the current process ID (based on the current PID). Worse:
Subsequent calls just seem to increase the number
by one:

[EMAIL PROTECTED]:~|0% cat /etc/debian_version
4.0
[EMAIL PROTECTED]:~|0% ps
  PID TTY          TIME CMD
32342 pts/2    00:00:00 zsh
32366 pts/2    00:00:00 ps
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32367
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32368
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32369
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32370
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32371
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32372
[EMAIL PROTECTED]:~|0%


If you specify more "X" you will get letters included
-- the amount seems to depend on the length of the PPID --
but as far as the numbers are concerned, it shows
the same behaviour.

This is the way it should be (Opensuse):

[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.WawJF
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.53xOG
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.HCmhP
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX



I suggest you use

a) a mixture of letters and numbers for mktemp (more letters, since
   1 out of 26 has higher degree of randomness than 1 out of 10).
b) don't include a fixed ratio or position of letters/numbers
c) neither base the numbers or also letters on PIDs or any other
   predictable values. Use /dev/(u)random or similar.


This also applies to Debian Lenny.


Cheers,
        Dirk






--
Dirk Wetter @ Dr. Wetter IT Consulting          http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3  64E5 C967 34D8 11B7 C62F

-
Found core file older than 7 days: /usr/share/man/man5/core.5.gz




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to