Date: Fri, 13 Nov 1998 00:36:21 -0200 (EDT)
From: Marcelo Tosatti <marcelo@conectiva.com.br>
To: security-audit@ferret.lmh.ox.ac.uk
Subject: Bootpd 2.4.3 tmp race
Sorry if this is already known.
I found a tmp race in bootpd 2.4.3.
If the user do not specify a file to dump the database, bootpd dump it in
/tmp/bootpd.dump.
Here goes the fix :
diff -Nur bootp-2.4.3.orig/bootpd.c bootp-2.4.3/bootpd.c
--- bootp-2.4.3.orig/bootpd.c Mon Mar 27 18:38:35 1995
+++ bootp-2.4.3/bootpd.c Thu Nov 12 05:57:39 1998
@@ -91,11 +91,9 @@
#ifndef CONFIG_FILE
#define CONFIG_FILE "/etc/bootptab"
#endif
-#ifndef DUMPTAB_FILE
-#define DUMPTAB_FILE "/tmp/bootpd.dump"
-#endif
-
+char DUMPTAB_FILE [] = "/tmp/bootpd.dump.XXXXXX";
+
/*
* Externals, forward declarations, and global variables
@@ -369,7 +367,8 @@
if (argc > 1)
bootpd_dump = argv[1];
-
+ else
+ mktemp(DUMPTAB_FILE);
/*
* Get my hostname and IP address.
*/
Marcelo Tosatti
Conectiva Internet Solutions
