Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 2759 From schwim@whatmore.Stanford.EDU Tue Mar 17 18:50:36 1998 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id SAA18401 for ; Tue, 17 Mar 1998 18:50:35 -0500 Received: from whatmore.Stanford.EDU by MIT.EDU with SMTP id AA23732; Tue, 17 Mar 98 18:50:33 EST Received: (from schwim@localhost) by whatmore.Stanford.EDU (8.8.8/8.8.8) id PAA29584; Tue, 17 Mar 1998 15:50:32 -0800 (PST) Message-Id: <199803172350.PAA29584@whatmore.Stanford.EDU> Date: Tue, 17 Mar 1998 15:50:32 -0800 (PST) From: Larry Schwimmer To: krb5-bugs@MIT.EDU Cc: schwim@leland.Stanford.EDU Subject: BUG: possible lib/krb4/tf_util.c race condition >Number: 560 >Category: krb5-libs >Synopsis: BUG: possible lib/krb4/tf_util.c race condition >Confidential: no >Severity: serious >Priority: medium >Responsible: mdh >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Tue Mar 17 18:51:00 EST 1998 >Last-Modified: Thu Jul 09 19:52:09 EDT 1998 >Originator: >Organization: >Release: >Environment: >Description: >How-To-Repeat: >Fix: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: mdh State-Changed-When: Thu Jul 9 19:50:27 1998 State-Changed-Why: Patch checked in, modified slightly from Larry's. A similar patch was made on the shared libraries code, which is largely untested but bascially identical. Responsible-Changed-From-To: gnats-admin->mdh Responsible-Changed-By: mdh Responsible-Changed-When: Thu Jul 9 19:51:57 1998 Responsible-Changed-Why: Taken and solved. >Unformatted: Submitter-Id: net Originator: Larry Schwimmer Confidential: no Synopsis: tf_init has a /tmp race condition Severity: serious Priority: medium Category: krb5-libs Class: sw-bug Release: 1.0.5 Environment: All Description: tf_init uses lstat to check the permissions on the ticket file. Since lstat+open is not atomic, a race condition exists. Since the open call only specifies O_RDWR and the call may be made by root for a regular user, it is a potential root-level exploit for code using the krb4 compatibility library. How-To-Repeat: Read the code. Fix: Replace lstat + open(O_RDWR) with open(O_RDWR|O_CREAT|O_EXCL) + fstat for the write call and open(O_RDONLY|O_NONBLOCK) + fstat. for the read call. This eliminates the race condition since the file descriptor checked by fstat is the file that was created or read. This eliminates the symlink problem by using O_CREAT|O_EXCL. This eliminates the blocking problem (as a named pipe could do) by specifying O_NONBLOCK. yours, Larry Schwimmer schwim@leland.stanford.edu Leland Systems Group