Re: CVE-2008-5378: possible symlink attacks

[Andreas Tille <tillea@rki.de>]

On Mon, 29 Dec 2008, Thomas Viehmann wrote:

>   Never use mktemp().

Args - I've read this and intended to use in both cases mkstemp - but then
just forgot this.  I think just for reading files mktemp is fine.  The
rationale is that I do not really want to rewrite the reading routine
which opens the file to read.  The mkstemp function also opens the file
and returns a handle - which is just very different from the current code.
I commited a hopefully better patch (where mkstemp is used for writing
a file).

> (This is what I meant with my comment to think about securely created
> filenames instead of files, you need to use mk*s*temp which has
> different semantics).

At least I had the good idea to ask vor cross checking ...

> The killing part is also still somewhat wrong, IMO you want something
> along the lines of
> x=$(stat -c '%u %f' x) ; [ "${x%???}" == "$UID 8" ] || echo fail
> to test whether it's a regular file that you own (though there is bound
> to be a prettier way to verify that, even if [ -f ... ] is not part of it).

Do you think that this is definitely needed to avoid any security
problem in this specific case?

Kind regards

     Andreas.

--
http://fam-tille.de