From mboxrd@z Thu Jan  1 00:00:00 1970
Path: quimby.gnus.org!not-for-mail
From: Pavel@Janik.cz (Pavel =?iso-8859-2?q?Jan=EDk?=)
Newsgroups: gmane.emacs.devel
Subject: Re: many packages write to `temporary-file-directory' insecurely
Date: Sat, 02 Mar 2002 12:52:51 +0100
Message-ID: <m3lmdbkwz0.fsf@Janik.cz>
References: <1014945351.23435.102.camel@space-ghost>
NNTP-Posting-Host: quimby2.netfonds.no
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
X-Trace: quimby2.netfonds.no 1015073804 11074 195.204.10.66 (2 Mar 2002 12:56:44 GMT)
X-Complaints-To: usenet@quimby2.netfonds.no
NNTP-Posting-Date: 2 Mar 2002 12:56:44 GMT
Cc: emacs-devel@gnu.org
Original-Received: from fencepost.gnu.org ([199.232.76.164])
	by quimby2.netfonds.no with esmtp (Exim 3.12 #1 (Debian))
	id 16h947-0002sW-00
	for <emacs-devel@quimby.gnus.org>; Sat, 02 Mar 2002 13:56:43 +0100
Original-Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org)
	by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian))
	id 16h8yd-0001tT-00; Sat, 02 Mar 2002 07:51:03 -0500
Original-Received: from p0081.as-l043.contactel.cz ([194.108.242.81] helo=SnowWhite.SuSE.cz)
	by fencepost.gnu.org with smtp (Exim 3.33 #1 (Debian))
	id 16h8w3-0001iu-00
	for <emacs-devel@gnu.org>; Sat, 02 Mar 2002 07:48:24 -0500
Original-Received: by SnowWhite.SuSE.cz (PJ, from userid 500)
	id 23682441C6; Sat,  2 Mar 2002 13:50:48 +0100 (CET)
Original-To: Colin Walters <walters@verbum.org>
Mail-Copies-To: never
X-Face: $"d&^B_IKlTHX!y2d,3;grhwjOBqOli]LV`6d]58%5'x/kBd7.MO&n3bJ@Zkf&RfBu|^qL+
 ?/Re{MpTqanXS2'~Qp'J2p^M7uM:zp[1Xq#{|C!*'&NvCC[9!|=>#qHqIhroq_S"MH8nSH+d^9*BF:
 iHiAs(t(~b#1.{w.d[=Z
In-Reply-To: <1014945351.23435.102.camel@space-ghost> (Colin Walters's
 message of "28 Feb 2002 20:15:51 -0500")
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.2.50
 (i386-suse-linux-gnu)
Original-Lines: 71
Errors-To: emacs-devel-admin@gnu.org
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.0.5
Precedence: bulk
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Post: <mailto:emacs-devel@gnu.org>
List-Subscribe: <http://mail.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
List-Id: Emacs development discussions. <emacs-devel.gnu.org>
List-Unsubscribe: <http://mail.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://mail.gnu.org/pipermail/emacs-devel/>
Xref: quimby.gnus.org gmane.emacs.devel:1688
X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:1688

   From: Colin Walters <walters@verbum.org>
   Date: 28 Feb 2002 20:15:51 -0500

   > I discovered a security problem with M-x snake, and a number of other
   > packages. For example, snake writes "snake-scores" to
   > `temporary-file-directory' (which defaults to /tmp on my system).  If an
   > attacker creates a symlink /tmp/snake-scores -> /home/luser/.bashrc, and
   > "luser" later runs M-x snake, then their .bashrc will be happily
   > overwritten with their snake scores.  Try it.

The problem is actually in gamegrid.el's gamegrid-add-score. We should not
write to file if it is symlink or hard link. Am I right?

--- gamegrid.el.~1.4.~	Wed Feb  6 13:39:50 2002
+++ gamegrid.el	Sat Mar  2 12:51:15 2002
@@ -405,26 +405,29 @@
 ;; ;;;;;;;;;;;;;;; high score functions ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
 (defun gamegrid-add-score (file score)
-  "Add the current score to the high score file."
-  (save-excursion
-  (find-file-other-window file)
-  (setq buffer-read-only nil)
-  (goto-char (point-max))
-  (insert (format "%05d\t%s\t%s <%s>\n"
-		  score
-		  (current-time-string)
-		  (user-full-name)
-		  (cond ((fboundp 'user-mail-address)
-			 (user-mail-address))
-			((boundp 'user-mail-address)
-			 user-mail-address)
-			(t ""))))
-  (sort-numeric-fields 1 (point-min) (point-max))
-    (reverse-region (point-min) (point-max))
-  (goto-line (1+ gamegrid-score-file-length))
-  (delete-region (point) (point-max))
-  (setq buffer-read-only t)
-    (save-buffer)))
+  "Add the current score to the high score file.
+If the high score file is a symlink or hard link, do nothing."
+  (unless (or (file-symlink-p file)
+	      (> (or (file-nlinks file) 0) 1))
+    (save-excursion
+      (find-file-other-window file)
+      (setq buffer-read-only nil)
+      (goto-char (point-max))
+      (insert (format "%05d\t%s\t%s <%s>\n"
+		      score
+		      (current-time-string)
+		      (user-full-name)
+		      (cond ((fboundp 'user-mail-address)
+			     (user-mail-address))
+			    ((boundp 'user-mail-address)
+			     user-mail-address)
+			    (t ""))))
+      (sort-numeric-fields 1 (point-min) (point-max))
+      (reverse-region (point-min) (point-max))
+      (goto-line (1+ gamegrid-score-file-length))
+      (delete-region (point) (point-max))
+      (setq buffer-read-only t)
+      (save-buffer))))
 
 ;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 

-- 
Pavel Janík

die_if_kernel("Whee... Hello Mr. Penguin", current->tss.kregs);
                  -- 2.2.16 arch/sparc/kernel/traps.c

_______________________________________________
Emacs-devel mailing list
Emacs-devel@gnu.org
http://mail.gnu.org/mailman/listinfo/emacs-devel