Subject: Re: [ecasound] Fw: Bug#86747: ecawave: insecure and broken tmp-file handling
From: Robert Bihlmeyer (robbe@orcus.priv.at)
Date: Mon Feb 26 2001 - 01:00:14 EET
Kai Vehmanen <k@eca.cx> writes:
> > * Doesn't heed $TMP or $TMPDIR.
>
> True, I've relied solely on 'tmpdir()'.
Replacing tmpnam(0) with tempnam(0, 0) should take care of that. But
you must use O_EXCL on the subsequent open(), or you're open to
symlink attacks. Or just use mkstemp() or tmpfile().
> > * Leaves tempfiles around when exited via window-close.
>
> This shouldn't happen (=bug). If this happens every time (reproducable),
> I'd like to know exactly the actions/step you do.
Simply start ecawave, "Open", enter file name, "Ok", select a range,
"Cut".
At this moment, /tmp/fileXXXXXX.wav, /tmp/fileYYYYYY.wav, and
/tmp/fileYYYYYY.wav.ews will exist. (The last file is sometimes
missing.)
Selecting "close" will remove the Y files but not the X file. Closing
the window by means of the window-manager will leave all of the files.
I can reproduce this 100 %.
> > * Always uses the same file (/tmp/ecawave-clipboard.wav) for swapping out
> > clipboard content.
>
> Nope, you can change this by editing your ~/.ecawaverc (see ecawave
> user's guide).
Ok, but the default is always the same, and even if you put something
different in your rc, it is probably predictable and thus prey to a
symlink attack.
Is there some reason that the clipboard is the same across
invocations? So that you can copy between different windows? Perhaps a
random name could be used - at least subprocesses could get the name
quit easily.
> True, this is pretty bad. The whole tmpfile/clipboard issue is quite
> problematic. The basic problem is file size. Ecawave can create huge
> files (it's designed to handle gigabytes) ...
That's why I use it. Many other sound editors simply thrash the
machine to death on multi-megabyte files.
> and I'm not sure, what is the politically and technically correct
> default location to put these files?
Well, the preferred tmp dir is fine: try $TMP, $TMPDIR, /tmp in that
order - tempnam(), mkstemp(), and tmpfile() will AFAIK do that for
you. tmpnam() won't ...
The other possibility is creating a new subdirectory in the tmp dir
($TMP;$TMPDIR;/tmp; as above), that is owned by the user and mode 755
or less.
> For what it's worth, these issues have been on my todo-list for quite a
> while (replacing all uses of tmpfile() with mkstemp(),
That seems to be a bit of work, since what you're doing now is
generating the name on in one layer, and opening the file in a
completely different one. In short-term fix for the security problems
would be appreciated. I'm a bit overwhelmed by the whole eca* code
base, ATM.
Perhaps just add O_EXCL to wherever the files are really created; use
tmpname instead of tmpnam; randomize the clipboard file like all the
other tmp-files.
-- Robbe
-- To unsubscribe send message 'unsubscribe' in the body of the message to <ecasound-list-request@wakkanet.fi>.
This archive was generated by hypermail 2b28 : Mon Feb 26 2001 - 01:12:08 EET