Bug 13286

Summary: [SECURITY] Potential IPXrouted(8) /tmp security problem
Product: Base System Reporter: venglin <venglin>
Component: binAssignee: John Hay <jhay>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 3.2-STABLE   
Hardware: Any   
OS: Any   

Description venglin 1999-08-21 12:50:01 UTC 
	Attacker can overwrite any file by creating link to /tmp/ipxrouted.dmp

Fix: 

Use mkstemp() when opening dump file.
How-To-Repeat: 
	$ ln -s /etc/master.passwd /tmp/ipxrouted.dmp

	When root sends SIGINFO to IPXrouted process, file /etc/master.passwd
	is overwritten.
Comment 1 ru freebsd_committer freebsd_triage 1999-09-14 18:23:03 UTC 
Responsible Changed
From-To: freebsd-bugs->jhay

So John remembers to MFC.
Comment 2 John Hay freebsd_committer freebsd_triage 2000-02-16 17:31:04 UTC 
State Changed
From-To: open->closed

Fixed in -current and RELENG_3, revisions 1.9 and 1.7.2.3 of IPXrouted/main.c.