On Thu, Nov 03, 2005 at 11:16:43PM -0500, Noah Meyerhans wrote: > There are a number of outstanding "insecure tempfile vulnerabilities", > and there has been some talk that they're both too numerous and of low > enough impact that they're not even worth releasing DSAs for. Never the Where was that talk done? I've been the one auditing that and there have been DSAs for most of the bugs I've reported to the audit team. Granted, they are not being issued inmediately (I usually provide the report and a patch), but they are on the queue as far as I know. > less, they are potentially dangerous and should be dealt with on some > level. We believe that using libpam_tmpdir by default should make > nearly all of these vulnerabilities cease to be relevant (there are some > braindead apps that have /tmp hardcoded and don't use $TMP or $TMPDIR). The problem is, there's lots of those. And when I mean lots I mean that I have a list of ~4780 binary packages of which at least ~2300 make use of insecure tempfiles for sure and the others need to be reviewed (as the script I use produces false positives and false negatives). And that doesn't include the source packages that use /tmp insecurely (i.e. when building a package). I have focused fixing the issue in the most popular packages (stuff like mozilla, mysql, lm-sensors, lintian, lilo, cfengine, to name a few) and I'm producing patches for the rest as time permits. There's even scripts that use 'mktemp' but don't use the -t option so they are rooted in /tmp nevertheless (notice that 'tempfile' does this by default). And there are even some packages which do _not_ have insecure tempfile vulnerabilities but hardcode the directory or file location to /tmp in any case. IMHO, it's a worthwhile goal for etch but it should be done at the same time that there is a policy change mandating the use of mktemp/tempfile for shell scripts, File::Temp in perl scripts, tempnam in Php, tmpfile in C and safe constructs in those languages that lack a proper implementation (see #291389, for example). Regards Javier
Attachment:
signature.asc
Description: Digital signature