From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 10 13:47:15 2011 Received: (at submit) by debbugs.gnu.org; 10 Jun 2011 17:47:15 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5nf-00082Y-K4 for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:15 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5nc-00082K-Qi for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QV5nV-0008Qy-Sf for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:07 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:39049) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nV-0008Qu-M9 for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:05 -0400 Received: from eggs.gnu.org ([140.186.70.92]:49862) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nU-000889-85 for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:47:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QV5nN-0008Pc-EC for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:47:03 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:34264) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nM-0008OB-Ss for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:46:57 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 4D6DC39E80FF for ; Fri, 10 Jun 2011 10:46:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJGmYzd80Kwu for ; Fri, 10 Jun 2011 10:46:47 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 9FAF039E80F9 for ; Fri, 10 Jun 2011 10:46:47 -0700 (PDT) Message-ID: <4DF25887.3010903@cs.ucla.edu> Date: Fri, 10 Jun 2011 10:46:47 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc14 Thunderbird/3.1.10 MIME-Version: 1.0 To: bug-gnu-emacs@gnu.org Subject: mktemp-related race condition in movemail Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -4.8 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.8 (----) There is a race condition in lib-src/movemail.c, and some related bugs. I plan to commit the following patch. This one has security implications, so I'm filing a bug report to give others a bigger heads-up. I found this one via GCC 4.6.0's static analysis. * movemail.c: Fix race condition and related bugs. (main) [!MAIL_USE_SYSTEM_LOCK]: Prefer mkstemp to mktemp, as this fixes some race conditions. Report mkstemp/mktemp errno rather than a possibly-garbage errno. Reinitialize the template each time through the loop, as earlier mkstemp/mktemp calls could have trashed it. Pass 0600 (not 0666) to mktemp, for consistency with mkstemp; the permissions don't matter anyway. === modified file 'lib-src/movemail.c' --- lib-src/movemail.c 2011-04-16 21:20:25 +0000 +++ lib-src/movemail.c 2011-06-10 17:30:52 +0000 @@ -168,8 +168,9 @@ #ifndef MAIL_USE_SYSTEM_LOCK struct stat st; int tem; - char *lockname, *p; + char *lockname; char *tempname; + size_t inname_dirlen; int desc; #endif /* not MAIL_USE_SYSTEM_LOCK */ @@ -298,26 +299,38 @@ to bug-gnu-emacs@prep.ai.mit.edu so we can fix it. */ lockname = concat (inname, ".lock", ""); - tempname = (char *) xmalloc (strlen (inname) + strlen ("EXXXXXX") + 1); - strcpy (tempname, inname); - p = tempname + strlen (tempname); - while (p != tempname && !IS_DIRECTORY_SEP (p[-1])) - p--; - *p = 0; - strcpy (p, "EXXXXXX"); - mktemp (tempname); - unlink (tempname); + for (inname_dirlen = strlen (inname); + inname_dirlen && !IS_DIRECTORY_SEP (inname[inname_dirlen - 1]); + inname_dirlen--) + continue; + tempname = (char *) xmalloc (inname_dirlen + sizeof "EXXXXXX"); while (1) { /* Create the lock file, but not under the lock file name. */ /* Give up if cannot do that. */ - desc = open (tempname, O_WRONLY | O_CREAT | O_EXCL, 0666); + + memcpy (tempname, inname, inname_dirlen); + strcpy (tempname + inname_dirlen, "EXXXXXX"); +#ifdef HAVE_MKSTEMP + desc = mkstemp (tempname); +#else + mktemp (tempname); + if (!*tempname) + desc = -1; + else + { + unlink (tempname); + desc = open (tempname, O_WRONLY | O_CREAT | O_EXCL, 0600); + } +#endif if (desc < 0) { + int mkstemp_errno = errno; char *message = (char *) xmalloc (strlen (tempname) + 50); sprintf (message, "creating %s, which would become the lock file", tempname); + errno = mkstemp_errno; pfatal_with_name (message); } close (desc); From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 10 13:51:11 2011 Received: (at 8836-done) by debbugs.gnu.org; 10 Jun 2011 17:51:11 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5rO-00088V-MI for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:51:11 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5rM-000881-V5 for 8836-done@debbugs.gnu.org; Fri, 10 Jun 2011 13:51:05 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 900F139E80FF for <8836-done@debbugs.gnu.org>; Fri, 10 Jun 2011 10:50:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTHnigX7QiiS for <8836-done@debbugs.gnu.org>; Fri, 10 Jun 2011 10:50:59 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 33AD639E80F9 for <8836-done@debbugs.gnu.org>; Fri, 10 Jun 2011 10:50:59 -0700 (PDT) Message-ID: <4DF25982.20901@cs.ucla.edu> Date: Fri, 10 Jun 2011 10:50:58 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc14 Thunderbird/3.1.10 MIME-Version: 1.0 To: 8836-done@debbugs.gnu.org Subject: Re: bug#8836: Acknowledgement (mktemp-related race condition in movemail) References: <4DF25887.3010903@cs.ucla.edu> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.1 (---) X-Debbugs-Envelope-To: 8836-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.1 (---) I committed the fix in bzr 104555 on the trunk. From unknown Sun Jun 22 17:15:44 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 09 Jul 2011 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator