[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: severity for bugs in ignoring TMP/TMPDIR?

On 10/02/2012, Paul Wise <pabs@debian.org> wrote:
> On Sun, Feb 5, 2012 at 10:51 AM, Paul Wise wrote:
>> If I notice that software in Debian is ignoring TMP/TMPDIR (since I use
>> libpam-tmpdir), what severity should I file the resulting bugs at?
> I'll file them at wishlist as suggested by the second mail in this thread.

If you (or the maintainer) review the code or analyse the program's
behaviour and it is using *fixed* (i.e. not random) filenames for the
temporary files or for the directories they are created in (/tmp or
/var/tmp), you might want to suggest the maintainer to review if the
code in charge of creating temporary files is doing this properly.

When in 2004-2006 I reviewed [1] programs in the archive using
temporary files in fixed locations (i.e. /tmp and /var/tmp) I found a
number of security vulnerabilities which were all instances of this

- CWE-377: Insecure Temporary File -
- CWE-379: Creation of Temporary File in Directory with Incorrect
Permissions -http://cwe.mitre.org/data/definitions/379.html
- CWE-378: Creation of Temporary File With Insecure Permissions -

I'm sure the situation has *not* improved since then.

Best regards


[1] Acting as member of Debian Security Audit Team [1]. A full list of
advisories at http://www.debian.org/security/audit/advisories

Reply to: