Be much more paranoid about where uudecode writes its output, especially

when the filename comes from the untrusted input. This is a work-around for careless people who don't routinely check the begin line of the file or run uudecode -i and instead report "vulnerabilities" to CERT. http://www.kb.cert.org/vuls/id/336083
2002-11-01 00:58:00 +00:00 · 2002-11-01 00:58:00 +00:00 · c467150777
commit c467150777
parent 760e63e6f7
1 changed files with 36 additions and 7 deletions
--- a/usr.bin/uudecode/uudecode.c
+++ b/usr.bin/uudecode/uudecode.c
@ -59,6 +59,8 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in.h>

 #include <err.h>
+#include <errno.h>
+#include <fcntl.h>
 #include <pwd.h>
 #include <resolv.h>
 #include <stdio.h>
@ -231,14 +233,41 @@ decode2(void)
 		return (1);
 	}

-	if (!pflag) {
-		if (iflag && !access(buffn, F_OK)) {
-			warnx("not overwritten: %s", buffn);
-			return (0);
+	if (pflag)
+		outfp = stdout;
+	else {
+		int flags = O_WRONLY|O_CREAT|O_EXCL;
+		if (lstat(buffn, &st) == 0) {
+			if (iflag) {
+				warnc(EEXIST, "%s: %s", filename, buffn);
+				return (0);
+			}
+			switch (st.st_mode & S_IFMT) {
+			case S_IFREG:
+			case S_IFLNK:
+				/* avoid symlink attacks */
+				if (unlink(buffn) == 0 || errno == ENOENT)
+					break;
+				warn("%s: unlink %s", filename, buffn);
+				return (1);
+			case S_IFDIR:
+				warnc(EISDIR, "%s: %s", filename, buffn);
+				return (1);
+			default:
+				if (oflag) {
+					/* trust command-line names */
+					flags &= ~O_EXCL;
+					break;
+				}
+				warnc(EEXIST, "%s: %s", filename, buffn);
+				return (1);
+			}
+		} else if (errno != ENOENT) {
+			warn("%s: %s", filename, buffn);
+			return (1);
 		}
-		if ((outfp = fopen(buffn, "w")) == NULL ||
-		    stat(buffn, &st) < 0 || (S_ISREG(st.st_mode) &&
-		    fchmod(fileno(outfp), getmode(mode, 0) & 0666) < 0)) {
+		if ((i = open(buffn, flags, getmode(mode, 0) & 0666)) < 0 ||
+		    (outfp = fdopen(i, "w")) == NULL) {
 			warn("%s: %s", filename, buffn);
 			return (1);
 		}