/* This programs opens the complete set of temporary files tested with mktemp()
   for a given template (with 6 X's), usually resulting in the program
   terminating upon failure to find an open file.  In pop3d, this prevents a
   pop client from reading their mail.
 
   Dave M. (davem@cmu.edu)
*/

#include 
#include 
#include 
#include 
#include 

[snip...]

=-=-=-=-=

Date: Sat, 23 Dec 1995 18:29:43 -0500
From: Theodore Ts'o 
To: Multiple recipients of list BUGTRAQ 
Subject: Re: mailx-5.5 (slackware /bin/mail) security hole

My, the more things change, the more things stay the same.  This is an
*old*, *old*, **old** vulnerability.  In fact, it's so old that BSD 4.3
(back when dinosaurs prowled the earth :-), introduced the mkstemp()
call to deal with this vulnerability.

int mkstemp(char *template)

Works just like mktemp(), but it returns a file descriptor which is open
for reading and writing.  This file descriptor is guaranteed to belong
to a freshly created file.  mkstemp() is already in the Linux libc, for
BSD compatibility --- it's just a matter of modifying existing programs
to use it.

It would probably be a good idea for future descriptions of this particular
security problem also included the a fix for getting around this
problem.  Using mkstemp(), where available, is a fine way to fix the
problem.  If it's not available, it's not terribly hard to write a
mkstemp() function, or to simply use mktemp and open the file with the
O_CREAT and O_EXCL flags.

Regarding the denial of service attack if there are more than 62
conflicting file names --- this sounds like a bug in mktemp() to me!  It
clearly should be using a better algorithm if that's all it takes to
trip it up.

                                                - Ted