[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2008-5378: possible symlink attacks

On Tue, 30 Dec 2008, Thomas Viehmann wrote:

Also, mkstemp(3):
      The last six characters of template must be "XXXXXX" and these
      are replaced with a string that makes the  filename
      unique.   Since it will be modified, template must not be a
      string constant, but should be declared as a character array.
so you have the name readily available.

Hmm, stupid me - my patch is just wrong.  It makes no sense to
start reading a file which is created using mktemp - by definition
it does not exist.  SOrry for the confusion - I just have to
search the filesystem at this piece of code for the previousely
created file (or keep a variable with the name).

Don't know, causing people to accidentally kill their processes seems
nasty to me, but it might not be that critical.

Considering the practical use I do not think that this application
is a frequently used way to do this harm to people.

Kind regards



Reply to: