Bug#495193: Etch's and Lenny's mktemp seriously broken

[Dirk Wetter]

Package: mktemp
Version: 1.5-2
Severity: grave
Tags: security
There's a problem with the randomness of mktemp. The
string includes a number which includes somewhat
the current process ID (based on the current PID). Worse:
Subsequent calls just seem to increase the number
by one:

[EMAIL PROTECTED]:~|0% cat /etc/debian_version
4.0
[EMAIL PROTECTED]:~|0% ps 


  PID TTY          TIME CMD
32342 pts/2    00:00:00 zsh
32366 pts/2    00:00:00 ps
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/-zsh.32342.32367
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/-zsh.32342.32368
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/-zsh.32342.32369
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/-zsh.32342.32370
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/-zsh.32342.32371
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/-zsh.32342.32372
[EMAIL PROTECTED]:~|0%


If you specify more "X" you will get letters included
-- the amount seems to depend on the length of the PPID --
but as far as the numbers are concerned, it shows
the same behaviour.

This is the way it should be (Opensuse):

[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/zsh.6802.WawJF
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/zsh.6802.53xOG
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 


/tmp/zsh.6802.HCmhP
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX 



I suggest you use

a) a mixture of letters and numbers for mktemp (more letters, since
   1 out of 26 has higher degree of randomness than 1 out of 10).
b) don't include a fixed ratio or position of letters/numbers
c) neither base the numbers or also letters on PIDs or any other
   predictable values. Use /dev/(u)random or similar.


This also applies to Debian Lenny.


Cheers,
        Dirk






--
Dirk Wetter @ Dr. Wetter IT Consulting          http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3  64E5 C967 34D8 11B7 C62F

-
Found core file older than 7 days: /usr/share/man/man5/core.5.gz




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]