COMMAND

    bootpd

SYSTEMS AFFECTED

    Bootpd 2.4.3 tmp race

PROBLEM

    Marcelo Tosatti  found following.   If the  user do  not specify a
    file  to  dump  the  database,  bootpd  will  try  to  dump  it in
    /tmp/bootpd.dump.

SOLUTION

    The proper solution (for any bug of this kind) is to stop  putting
    such files  into /tmp  or any  other publicly  readable directory.
    Following is not a fix. It just makes the problem less obvious and
    lowers the risk of abuse. (Even  if the risk has already been  low
    because a cetain signal must be  sent to the deamon and this  is a
    rare event in most installations.)

    diff -Nur bootp-2.4.3.orig/bootpd.c bootp-2.4.3/bootpd.c
    --- bootp-2.4.3.orig/bootpd.c   Mon Mar 27 18:38:35 1995
    +++ bootp-2.4.3/bootpd.c        Thu Nov 12 05:57:39 1998
    @@ -91,11 +91,9 @@

     #ifndef CONFIG_FILE
     #define CONFIG_FILE            "/etc/bootptab"
     #endif
    -#qifndef DUMPTAB_FILE
    -#define DUMPTAB_FILE           "/tmp/bootpd.dump"
    -#endif

    -
    +char DUMPTAB_FILE [] = "/tmp/bootpd.dump.XXXXXX";
    +

     /*
      * Externals, forward declarations, and global variables
    @@ -369,7 +367,8 @@

            if (argc > 1)
                    bootpd_dump = argv[1];
    -
    +       else
    +               mktemp(DUMPTAB_FILE);
            /*
             * Get my hostname and IP address.
             */