Bug 64770 (CVE-2005-0018)

We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

Is f2c typically used repetitive in scripts or so? If not fix for
STABLE is sufficient IMO.

Date: Tue, 11 Jan 2005 20:02:04 +0100
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2005-001{7,8}: Insecure files in f2c

Javier Fernández-Sanguino Peña of the Debian Security Audit project
discovered that f2c and fc, which are both part of the f2c package, a
fortran 77 to C/C++ translator, open temporary files insecurely and
are hencely vulnerable to a symlink attack.  The Common
Vulnerabilities and Exposures project identifies the following
vulnerabilities:

CAN-2005-0017  Multiple insecure temporary files in the f2c translator.
CAN-2005-0018  Two insecure temporary files in the f2 shell script.

Javier wrote:

1.- f2c (the C program) defines a set of temporary files in src/sysdep.c's
set_tmp_names (called from main) like this:

        long pid = getpid();
        sprintf(c_functions, "%s/f2c%ld_func", tmpdir, pid);
        sprintf(initfname, "%s/f2c%ld_rd", tmpdir, pid);
        sprintf(blkdfname, "%s/f2c%ld_blkd", tmpdir, pid);
        sprintf(p1_file, "%s/f2c%ld_p1f", tmpdir, pid);
        sprintf(p1_bakfile, "%s/f2c%ld_p1fb", tmpdir, pid);
        sprintf(sortfname, "%s/f2c%ld_sort", tmpdir, pid);

(tmpdir is defined as /tmp and cannot be overwritten through $TMPDIR)
All of these files are fopened' at different moments without
further checks (do they exist? do they link somewhere?). An attacker could
just monitor /tmp usage (I believe c_functions is first) and then make
simlinks to the other files (they share the pid) or look for pid's of f2c
starting up and symlink the files.

2.- the fc script uses the pid to create temporary files which is though of
as unsafe (can be DoSed) and introduces a race condition (from when the
value is used to when the file is created)

These two bugs are present both in woody and in sarge/sid versions of f2c.

The attached patch (untested) tries to introduce fixes to these bugs:

1.- use tempnam() instead of the pid to derive the filenames, this is not
as safe as using mkstemp, but makes it more difficult to derive the value
of the temporary files in f2c. This is a quick & dirty hack, however, the
best way to fix this would be to change the code and have it use file
descriptors (and not char names) in the set_tmp_names script. Also note
that the code in charge of opening files (the opf() function in main.c)
should probably be fixed to avoid following symlinks (using O_NOFOLLOW),
there are other fopen calls that should be reviewed too.

2.- Use tempfile in the shell script and check it's output


I'm pretty sure that other vendors also ship f2c so we should probably
work on a coordinated disclosure.  Please let me know if so and take a
look at the attached patches.

Regards,

	Joey