<<< Date Index >>>     <<< Thread Index >>>

bug#1833: marked as done (mutt-1.4.2.1i: temp file name collision)



Your message dated Mon, 12 Apr 2004 21:21:21 +0200
with message-id <20040412192121.GG5807@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
and subject line bug#1833: mutt-1.4.2.1i: temp file name collision
has caused the attached bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Herr der Kaefer
(administrator, GUUG bugs database)

--------------------------------------
Received: (at submit) by bugs.guug.de; 18 Mar 2004 07:15:11 +0000
>From eravin@xxxxxxxxx Thu Mar 18 08:15:09 2004
Received: from mail3.panix.com ([166.84.1.74])
        by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
        id 1B3rkC-0000wJ-00
        for <submit@xxxxxxxxxxxx>; Thu, 18 Mar 2004 08:15:08 +0100
Received: from panix5.panix.com (panix5.panix.com [166.84.1.5])
        by mail3.panix.com (Postfix) with ESMTP
        id B786B98576; Thu, 18 Mar 2004 02:17:58 -0500 (EST)
Received: (from eravin@localhost)
        by panix5.panix.com (8.11.6p2-a/8.8.8/PanixN1.1) id i2I7HwA24642;
        Thu, 18 Mar 2004 02:17:58 -0500 (EST)
Date: Thu, 18 Mar 2004 02:17:58 -0500 (EST)
From: <eravin@xxxxxxxxx>
Message-Id: <200403180717.i2I7HwA24642@xxxxxxxxxxxxxxxx>
Organization: All Watched Over by Machines of Loving Grace
Subject: mutt-1.4.2.1i: temp file name collision
To: submit@xxxxxxxxxxxx
X-Spam-Status: No, hits=-3.6 required=4.0
        tests=BAYES_10,NO_REAL_NAME
        version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

Package: mutt
Version: 1.4.2.1i
Severity: normal

-- Please type your report below this line

I was running a script to use mutt to send a few hundred messages.
Mutt was invoked in the script like this:

   mutt -H./bulk.me.tmp $email < /dev/null

One of the messages generated this error (sorry, it scrolled off, so
this is from memory):

  Cannot create file /var/tmp/mutt-panix5-22369-6

I use a multi-user system and we've seen this kind of problem before -
mutt appears to build a tempfile name out of the PID, without using
any user-specific information.  When the PIDs on the system wrap, it's
possible to have a temp file name collision where mutt comes up with
a file name that exits and is owned by a different user.

Suggest you add the username to the temp filename, so if there is a
collision you'll be able to overwrite the file.  Or use mkstemp() or
the like to generate a more unique filename with less chance of a
collision.  Also, even faintly predictable temp filenames are considered
a security risk these days due to symlink attacks, so using mkstemp() is
probably a good idea in any case.

Thanks!

        -- Ed

-- Build environment information

(Note: This is the build environment installed on the system
muttbug is run on.  Information may or may not match the environment
used to build mutt.)

- gcc version information
gcc
Using builtin specs.
gcc version 2.95.3 20010315 (release) (NetBSD nb3)

- CFLAGS
-Wall -pedantic -g -O2

-- Mutt Version Information

Mutt 1.4.2.1i (2004-02-12)
Copyright (C) 1996-2002 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: NetBSD 1.6.2 (i386) [using ncurses 5.2]
Compile options:
DOMAIN="panix.com"
-DEBUG
-HOMESPOOL  -USE_SETGID  +USE_DOTLOCK  -DL_STANDALONE  
-USE_FCNTL  -USE_FLOCK
-USE_POP  +USE_IMAP  -USE_GSS  +USE_SSL  -USE_SASL  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  
+HAVE_PGP  +BUFFY_SIZE -EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  -HAVE_WC_FUNCS  -HAVE_LANGINFO_CODESET  
+HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  +HAVE_GETSID  +HAVE_GETADDRINFO  
ISPELL="/usr/local/bin/ispell"
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/pkg/mutt-1.4.2.1/share/mutt"
SYSCONFDIR="/pkg/mutt-1.4.2.1/etc/conf/mutt/mutt-1.4.2.1"
EXECSHELL="/bin/sh"
-MIXMASTER
To contact the developers, please mail to <mutt-dev@xxxxxxxx>.
To report a bug, please use the flea(1) utility.


--- Begin /pkg/mutt-1.4.2.1/etc/conf/mutt/mutt-1.4.2.1/Muttrc
ignore "from " received content- mime-version status x-status message-id
ignore sender references return-path lines
macro index \eb '/~b ' 'search in message bodies'
macro index \cb |urlview\n 'call urlview to extract URLs out of a message'
macro pager \cb |urlview\n 'call urlview to extract URLs out of a message'
macro generic <f1> "!less /pkg/mutt-1.4.2.1/libdata/mutt-1.4.2.1/manual.txt\n" 
"Show Mutt documentation"
macro index   <f1> "!less /pkg/mutt-1.4.2.1/libdata/mutt-1.4.2.1/manual.txt\n" 
"Show Mutt documentation"
macro pager   <f1> "!less /pkg/mutt-1.4.2.1/libdata/mutt-1.4.2.1/manual.txt\n" 
"Show Mutt documentation"
set hostname=panix.com
set tmpdir="/var/tmp"
--- End /pkg/mutt-1.4.2.1/etc/conf/mutt/mutt-1.4.2.1/Muttrc


---------------------------------------
Received: (at 1833-done) by bugs.guug.de; 12 Apr 2004 19:19:10 +0000
>From roessler+bounce@xxxxxxxxxxxxxxxxxx Mon Apr 12 21:19:08 2004
Received: from does-not-exist.info ([217.160.221.198] 
helo=kamino.does-not-exist.org)
        by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
        id 1BD6xY-0001F2-00
        for <1833-done@xxxxxxxxxxxx>; Mon, 12 Apr 2004 21:19:08 +0200
Received: from raktajino.does-not-exist.org (p5085647F.dip0.t-ipconnect.de 
[80.133.100.127])
        (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
        (No client certificate requested)
        by kamino.does-not-exist.org (Postfix) with ESMTP
        id 09986193485; Mon, 12 Apr 2004 21:22:05 +0200 (CEST)
Received: by raktajino.does-not-exist.org (Postfix, from userid 500)
        id 6632B8497D; Mon, 12 Apr 2004 21:21:21 +0200 (CEST)
Date: Mon, 12 Apr 2004 21:21:21 +0200
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
To: eravin@xxxxxxxxx, 1833-done@xxxxxxxxxxxx
Subject: Re: bug#1833: mutt-1.4.2.1i: temp file name collision
Message-ID: <20040412192121.GG5807@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <200403180717.i2I7HwA24642@xxxxxxxxxxxxxxxx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200403180717.i2I7HwA24642@xxxxxxxxxxxxxxxx>
User-Agent: Mutt/1.5.6i
X-Spam-Status: No, hits=-106.6 required=4.0
        tests=AWL,BAYES_20,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
              REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT,
              USER_IN_WHITELIST
        autolearn=ham version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

On 2004-03-18 02:17:58 -0500, eravin@xxxxxxxxx wrote:

> One of the messages generated this error (sorry, it scrolled off,
> so this is from memory):

>   Cannot create file /var/tmp/mutt-panix5-22369-6

> I use a multi-user system and we've seen this kind of problem
> before - mutt appears to build a tempfile name out of the PID,
> without using any user-specific information.  When the PIDs on
> the system wrap, it's possible to have a temp file name collision
> where mutt comes up with a file name that exits and is owned by a
> different user.

Done.

> Suggest you add the username to the temp filename, so if there is
> a collision you'll be able to overwrite the file.  Or use
> mkstemp() or the like to generate a more unique filename with
> less chance of a collision.  Also, even faintly predictable temp
> filenames are considered a security risk these days due to
> symlink attacks, so using mkstemp() is probably a good idea in
> any case.

Two points here: One, we pay a lot of attention to temporary file
creation, so I'm rather sure that mutt has no exploitable temporary
file race conditions.  Two, you can always use $HOME/.tmp (or
something like that) and set TMPDIR accordingly if you're paranoid.

-- 
Thomas Roessler                       <roessler@xxxxxxxxxxxxxxxxxx>