Subject: xsrc/32805: file creation race condition in Xsession in xsrc, xorg
To: None <email@example.com, firstname.lastname@example.org,>
From: None <email@example.com>
Date: 02/12/2006 15:05:00
>Synopsis: there's a /tmp file creation race condition in Xsession
>Arrival-Date: Sun Feb 12 15:05:00 +0000 2006
>Originator: Steven M. Bellovin
>Release: NetBSD 3.99.15
System: NetBSD bigboy.machshav.com 3.99.15 NetBSD 3.99.15 (BIGBOY) #0: Fri Feb 10 08:50:25 EST 2006 firstname.lastname@example.org:/usr/BUILD/obj/sys/arch/i386/compile/BIGBOY i386
Xsession tries to create a log file; among the possiblities are
/tmp/xses-$USER. But an attacker could create a symlink of
that name pointing somewhere else. Normally, this would be
a very serious error; however, most of the time it will succeed
in creating $HOME/.xsession-errors and not try /tmp.
The problem is in both xsrc and xorg.
Use mktemp instead.