pkg/45558: lang/caml-light insecure-temporary-files

[dholland%netbsd.org@localhost]

>Number:         45558
>Category:       pkg
>Synopsis:       lang/caml-light insecure-temporary-files
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 02 15:35:00 +0000 2011
>Originator:     David A. Holland
>Release:        pkgsrc current (20111102)
>Organization:
>Environment:
n/a
>Description:

caml-light uses mktemp() insecurely.

>How-To-Repeat:

code auditing

>Fix:

--- yacc/main.c~        1995-06-07 09:34:32.000000000 -0400
+++ yacc/main.c 2008-09-04 22:15:26.000000000 -0400
@@ -1,4 +1,5 @@
 #include <signal.h>
+#include <stdlib.h> /* for mkstemp(), getenv() */
 #include "defs.h"
 
 char dflag;
@@ -31,6 +32,11 @@ char *text_file_name;
 char *union_file_name;
 char *verbose_file_name;
 
+static int action_fd = -1;
+static int entry_fd = -1;
+static int text_fd = -1;
+static int union_fd = -1;
+
 FILE *action_file;     /*  a temp file, used to save actions associated    */
                        /*  with rules until the parser is written          */
 FILE *entry_file;
@@ -69,9 +75,6 @@ char  *rassoc;
 short **derives;
 char *nullable;
 
-extern char *mktemp();
-extern char *getenv();
-
 
 done(k)
 int k;
@@ -276,12 +279,21 @@ create_file_names()
     union_file_name[len + 5] = 'u';
 
 #ifndef NO_UNIX
-    mktemp(action_file_name);
-    mktemp(entry_file_name);
-    mktemp(text_file_name);
-    mktemp(union_file_name);
+    action_fd = mkstemp(action_file_name);
+    entry_fd = mkstemp(entry_file_name);
+    text_fd = mkstemp(text_file_name);
+    union_fd = mkstemp(union_file_name);
 #endif
 
+    if (action_fd < 0)
+       open_error(action_file_name);
+    if (entry_fd < 0)
+       open_error(entry_file_name);
+    if (text_fd < 0)
+       open_error(text_file_name);
+    if (union_fd < 0)
+       open_error(union_file_name);
+
     len = strlen(file_prefix);
 
     output_file_name = MALLOC(len + 7);
@@ -321,15 +333,15 @@ open_files()
            open_error(input_file_name);
     }
 
-    action_file = fopen(action_file_name, "w");
+    action_file = fdopen(action_fd, "w");
     if (action_file == 0)
        open_error(action_file_name);
 
-    entry_file = fopen(entry_file_name, "w");
+    entry_file = fdopen(entry_fd, "w");
     if (entry_file == 0)
        open_error(entry_file_name);
 
-    text_file = fopen(text_file_name, "w");
+    text_file = fdopen(text_fd, "w");
     if (text_file == 0)
        open_error(text_file_name);
 
@@ -345,7 +357,7 @@ open_files()
        defines_file = fopen(defines_file_name, "w");
        if (defines_file == 0)
            open_error(defines_file_name);
-       union_file = fopen(union_file_name, "w");
+       union_file = fdopen(union_fd, "w");
        if (union_file ==  0)
            open_error(union_file_name);
     }