netbsd-bugs: xsrc/32805: file creation race condition in Xsession in xsrc, xorg

Subject: xsrc/32805: file creation race condition in Xsession in xsrc, xorg
To: None <xsrc-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <smb@cs.columbia.edu>
List: netbsd-bugs
Date: 02/12/2006 15:05:00

>Number:         32805
>Category:       xsrc
>Synopsis:       there's a /tmp file creation race condition in Xsession
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    xsrc-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 12 15:05:00 +0000 2006
>Originator:     Steven M. Bellovin
>Release:        NetBSD 3.99.15
>Organization:
>Environment:
	
	
System: NetBSD bigboy.machshav.com 3.99.15 NetBSD 3.99.15 (BIGBOY) #0: Fri Feb 10 08:50:25 EST 2006 smb@bigboy.machshav.com:/usr/BUILD/obj/sys/arch/i386/compile/BIGBOY i386
Architecture: i386
Machine: i386
>Description:
	Xsession tries to create a log file; among the possiblities are
	/tmp/xses-$USER.  But an attacker could create a symlink of
	that name pointing somewhere else.  Normally, this would be
	a very serious error; however, most of the time it will succeed
	in creating $HOME/.xsession-errors and not try /tmp.

	The problem is in both xsrc and xorg.
>How-To-Repeat:
	See above.
>Fix:
	Use mktemp instead.

>Unformatted: