From ee5ff037654168d0829c3219ce7d89ab202af40d Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Wed, 18 Mar 2026 04:49:22 +0000
Subject: nvmutil tmpdir: check world-writeable / sticky bits

must be world writeable and not have sticky bits

a bit theoretical, but we're also reading TMPDIR,
which could be anything

due to how this is called, it defaults back to /tmp
if null is returned, so itt's safe

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/nvmutil/nvmutil.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'util/nvmutil/nvmutil.c')

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index c34d79c3..8205a1df 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -991,7 +991,7 @@ rlong(void)
     defined(__NetBSD__) || defined(__APPLE__)
 
 	unsigned long rval;
-	arc4random_buf(&rval, sizeof(unsigned long);
+	arc4random_buf(&rval, sizeof(unsigned long));
 
 	return rval;
 #else
@@ -3001,8 +3001,8 @@ x_c_tmpdir(void)
 
 	t = getenv("TMPDIR");
 	if (t && *t) {
-		if (stat(t, &st) == 0 && S_ISDIR(st.st_mode))
-			return t;
+		if ((st.st_mode & S_IWOTH) && !(st.st_mode & S_ISVTX))
+			return NULL;
 	}
 
 	if (stat("/tmp", &st) == 0 && S_ISDIR(st.st_mode))
-- 
cgit v1.2.1