Subject: xsrc/32805: file creation race condition in Xsession in xsrc, xorg
To: None <,,>
From: None <>
List: netbsd-bugs
Date: 02/12/2006 15:05:00
>Number:         32805
>Category:       xsrc
>Synopsis:       there's a /tmp file creation race condition in Xsession
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    xsrc-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 12 15:05:00 +0000 2006
>Originator:     Steven M. Bellovin
>Release:        NetBSD 3.99.15
System: NetBSD 3.99.15 NetBSD 3.99.15 (BIGBOY) #0: Fri Feb 10 08:50:25 EST 2006 i386
Architecture: i386
Machine: i386
	Xsession tries to create a log file; among the possiblities are
	/tmp/xses-$USER.  But an attacker could create a symlink of
	that name pointing somewhere else.  Normally, this would be
	a very serious error; however, most of the time it will succeed
	in creating $HOME/.xsession-errors and not try /tmp.

	The problem is in both xsrc and xorg.
	See above.
	Use mktemp instead.