Re: [ecasound] Fw: Bug#86747: ecawave: insecure and broken tmp-file handling

New Message Reply Date view Thread view Subject view Author view Other groups

Subject: Re: [ecasound] Fw: Bug#86747: ecawave: insecure and broken tmp-file handling
From: Kai Vehmanen (
Date: Mon Feb 26 2001 - 03:28:00 EET

On 26 Feb 2001, Robert Bihlmeyer wrote:

>> True, I've relied solely on 'tmpdir()'.
> Replacing tmpnam(0) with tempnam(0, 0) should take care of that. But
> you must use O_EXCL on the subsequent open(), or you're open to
> symlink attacks. Or just use mkstemp() or tmpfile().

Hmm, this is a bit tricky. Now plain file descriptor (mkstemp()) or
FILE* handle (tmpfile()) won't do, cause ecawave doesn't have
direct access to the temp file. As the temp file has to be converted
into a libecasound audio object, we will not know how it is opened,
or what code handle it; it might even be dynamically loaded as a plugin.

So we need to get a filename for the tempfile. I guess mkstemp() is still
the best alternative. If I remember right, it changes the template
given as argument into a real filename.

>>> * Leaves tempfiles around when exited via window-close.
> Simply start ecawave, "Open", enter file name, "Ok", select a range,
> "Cut".
> Selecting "close" will remove the Y files but not the X file. Closing
> the window by means of the window-manager will leave all of the files.
> I can reproduce this 100 %.

Ok, both cases are identified as bugs and are fixed (CVS +
0.3dev4). Thanks for the test cases!

>> Nope, you can change this by editing your ~/.ecawaverc (see ecawave
> Is there some reason that the clipboard is the same across
> invocations? So that you can copy between different windows? Perhaps a
> random name could be used - at least subprocesses could get the name
> quit easily.

Actually I've found it useful to have a persistant clipboard that holds
its contents over sessions. Hmm, I can think of a few alternatives:

(a) encode the user name into the default clipboard name, ie.
(b) put the clipboard by default under user's home directory (and thus
    avoid symlink attacks), "~/ecawave-clipboard.wav"

... comments?

> The other possibility is creating a new subdirectory in the tmp dir
> ($TMP;$TMPDIR;/tmp; as above), that is owned by the user and mode 755
> or less.

Hmm, this might not be a bad alternative. So we'd first create a
user-specific directory with mkdir("$tmpdir/ecawave-user", 0700),
and use our own tmpname generator to create the filenames. I'm assuming
here that
        - mkdir is atomic (ie. behaves like open() with O_EXCL)
        - files under the created subdirectory are safe from
          symlink attacks and other kinds of abuse even though
          they are not opened with O_EXCL (nor using mkstemp())

> That seems to be a bit of work, since what you're doing now is
> generating the name on in one layer, and opening the file in a
> completely different one. In short-term fix for the security problems

And going even further, it's not guaranteed that libecasound will handle
the file i/o. At least in theory it's possible to renamed the clipboard to
"clipboard.mp3". In this case, libecasound will fork mpg123 and lame to
access the it!

> tmpname instead of tmpnam; randomize the clipboard file like all the
> other tmp-files.

What do others think? Should ecawave's clipboard be persistant, or should
it be session-specific (ie. when you close ecawave clipboard is deleted)?

 . ... [ audio software for linux ] /\ . 
 . ... [ aivastus net radio ] /\ .

-- To unsubscribe send message 'unsubscribe' in the body of the message to <>.

New Message Reply Date view Thread view Subject view Author view Other groups

This archive was generated by hypermail 2b28 : Mon Feb 26 2001 - 02:47:18 EET