238262 – net/rtg: Fix race condition an possible file tampering

Bug 238262 - net/rtg: Fix race condition an possible file tampering

Summary: net/rtg: Fix race condition an possible file tampering

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Rodrigo Osorio

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-05-31 13:34 UTC by Rodrigo Osorio
Modified:	2019-08-18 13:04 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (freebsd-ports) koobs: merge-quarterly?

Attachments
patch to avoid race condition / file tampering (2.43 KB, patch) 2019-05-31 13:34 UTC, Rodrigo Osorio	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rodrigo Osorio freebsd_committer

2019-05-31 13:34:44 UTC

Created attachment 204741 [details]
patch to avoid race condition / file tampering

During the initialization net/rtg uses /tmp/mysql.sql and /tmp/rtg.sql to store the actions to be performed in the database at the end of the script.

Using well known files can lead to a race condition between two process who uses the same file names and allow file tampering.

This patch introduces the mktemp command to create the temporary file in safer way.

Comment 1 Kubilay Kocak freebsd_committer

2019-06-01 07:28:13 UTC

Reporter is committer, assign accordingly

Comment 2 Rodrigo Osorio freebsd_committer

2019-06-14 11:16:22 UTC

waiting a little bit more for maintainer feedback.

Comment 3 commit-hook freebsd_committer

2019-07-23 14:48:03 UTC

A commit references this bug:

Author: rodrigo
Date: Tue Jul 23 14:47:15 UTC 2019
New revision: 507219
URL: https://svnweb.freebsd.org/changeset/ports/507219

Log:
  Patch createdb script to avoid race condition / file tampering

  During the initialization net/rtg uses the /tmp/mysql.sql
  and /tmp/rtg.sql to store the SQL commands executed in the
  database with special user privileges.

  Using well known files can lead to a race condition between
  two process who uses the same file names and allow file
  tampering by a malicious user.

  This fix uses mktemp command to create temporary files
  in a safe way

  PR:		238262
  Submitted by:	rodrigo
  Approved by:	freebsd-ports@dan.me.uk (maintainer timeout)
  MFH:	2019Q3

Changes:
  head/net/rtg/Makefile
  head/net/rtg/files/patch-etc_createdb.in

Comment 4 Rodrigo Osorio freebsd_committer

2019-07-23 14:49:38 UTC

Committed after maintainer timeout.

Comment 5 commit-hook freebsd_committer

2019-08-18 13:04:06 UTC

A commit references this bug:

Author: rodrigo
Date: Sun Aug 18 13:03:58 UTC 2019
New revision: 509206
URL: https://svnweb.freebsd.org/changeset/ports/509206

Log:
  MFH: r507219

  Patch createdb script to avoid race condition / file tampering

  During the initialization net/rtg uses the /tmp/mysql.sql
  and /tmp/rtg.sql to store the SQL commands executed in the
  database with special user privileges.

  Using well known files can lead to a race condition between
  two process who uses the same file names and allow file
  tampering by a malicious user.

  This fix uses mktemp command to create temporary files
  in a safe way

  PR:		238262
  Submitted by:	rodrigo
  Approved by:	freebsd-ports@dan.me.uk (maintainer timeout)

  Approved by:	ports-secteam (miwi@)

Changes:
_U  branches/2019Q3/
  branches/2019Q3/net/rtg/Makefile
  branches/2019Q3/net/rtg/files/patch-etc_createdb.in