Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Jan 2002 11:58:42 -0500
From:      Christopher Masto <chris@netmonger.net>
To:        "Jacques A. Vidrine" <n@nectar.cc>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject:   Re: cvs commit: src/contrib/diff sdiff.c
Message-ID:  <20020128165842.GA608@netmonger.net>
In-Reply-To: <20020128161732.GA39333@madman.nectar.cc>
References:  <200201271643.g0RGham39037@freefall.freebsd.org> <20020128161029.GA699@netmonger.net> <20020128161732.GA39333@madman.nectar.cc>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 28, 2002 at 10:17:32AM -0600, Jacques A. Vidrine wrote:
> > >   Modified files:
> > >     contrib/diff         sdiff.c 
> > >   Log:
> > >   = Fix temporary file handling.
> > 
> > Does this affect PR 34128?  
> 
> If it does, it's not on purpose.  Would you mind trying it out and
> reporting if it did `fix' it?

I'd be glad to.  It will probably be a few weeks though.  I have
learned the hard way not to do OS upgrades on my machines when I've
got major deadlines coming up.

Looking at the diff, I doubt that it has any effect, since the
behavior of seeking back to the beginning of the existing file
hasn't changed.

> Even had I noted PR 34128, and even if that PR included patches, it
> probably would not have been fixed this close to release.  This commit
> was a security fix, and was requested by the RE.

I understand.  I just was suprised to see sdiff temp file handling
changed so soon after I had sent a PR on that very area.

> Have you reported this bug to the diffutils maintainers (the GNU
> folks)?

I admit that never occurred to me.  I did some Google searches and
was suprised not to find anyone else noticed this problem, but then
I thought it's a rarely used feature in the first place.  My PR is
a bit skimpy, but it's not a complicated problem to describe.

In looking for the address for the diffutils maintainers, I noticed
their latest version is 2.7.7, whereas I seem to have 2.7.  I
downloaded ftp://alpha.gnu.org/gnu/diffutils/diffutils-2.7.7.tar.gz.
I suspect the problem has been fixed already, since their version
does:

    1087               tmp = ck_fopen (tmpname, "r");

where the FreeBSD version does:

    1003             if (fseek (tmp, 0L, SEEK_SET) != 0)
    1004               perror_fatal ("fseek");

Virtually every line in sdiff.c has been changed, style or otherwise,
between 2.7 and 2.7.7, but I'd guess that replacing the one with the
other would acheive a similar effect.  I'm not sure if that opens any
race condtions or such - I suppose if the file was originally created with
restrictive enough permissions, you'd have to delete it to give someone
else an opportunity to replace it.  Perhaps paranoia requires checking
the file again after it's reopened to make sure you still own it.

On the other hand, diffutils appear to have been imported in 1997
and never touched until the above commit.  Syncing with the FSF
version is obviously an alternate approach.

While I'm an active FreeBSD user with a background in software
development, I am not a FreeBSD developer or committer.  It's not
up to me how to proceed.  Hopefully there's enough detail now that
someone better equipped to handle a security-sensitive area can
take care of it.
-- 
Christopher Masto

CB461C61 8AFC E3A8 7CE5 9023 B35D  C26A D849 1F6E CB46 1C61

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128165842.GA608>