As I understand this, the problem exist in the mktemp() used in src/lharc.c:932 and src/lharc.c:951. The manpage mktemp(3) says:
"Never use mktemp(). Some implementations follow 4.3BSD and replace XXXXXX by the current process ID and a single letter, so that at most 26 different names can be returned. Since on the one hand the names are easy to guess, and on the other hand there is a race between testing whether the name exists and opening the file, every use of mktemp() is a security risk. The race is avoided by mkstemp(3)." But the behaviour of the app doesn't look vulnerable at all. I propose, with the attached patch, avoid any mktemp possibility. luciano
--- lharc.c.orig 2007-08-14 00:21:24.000000000 -0300
+++ lharc.c 2007-08-14 00:22:07.000000000 -0300
@@ -905,12 +905,8 @@
else {
sprintf(temporary_name, "%s/lhXXXXXX", extract_directory);
}
-#ifdef MKSTEMP
mkstemp(temporary_name);
#else
- mktemp(temporary_name);
-#endif
-#else
char *p, *s;
strcpy(temporary_name, archive_name);
@@ -918,11 +914,7 @@
if (*p == '/')
s = p;
strcpy((s ? s + 1 : temporary_name), "lhXXXXXX");
-#ifdef MKSTEMP
mkstemp(temporary_name);
-#else
- mktemp(temporary_name);
-#endif
#endif
}
signature.asc
Description: This is a digitally signed message part.
