Re: severity for bugs in ignoring TMP/TMPDIR?
On 10/02/2012, Paul Wise <pabs@debian.org> wrote:
> On Sun, Feb 5, 2012 at 10:51 AM, Paul Wise wrote:
>
>> If I notice that software in Debian is ignoring TMP/TMPDIR (since I use
>> libpam-tmpdir), what severity should I file the resulting bugs at?
>
> I'll file them at wishlist as suggested by the second mail in this thread.
If you (or the maintainer) review the code or analyse the program's
behaviour and it is using *fixed* (i.e. not random) filenames for the
temporary files or for the directories they are created in (/tmp or
/var/tmp), you might want to suggest the maintainer to review if the
code in charge of creating temporary files is doing this properly.
When in 2004-2006 I reviewed [1] programs in the archive using
temporary files in fixed locations (i.e. /tmp and /var/tmp) I found a
number of security vulnerabilities which were all instances of this
categories:
- CWE-377: Insecure Temporary File -
http://cwe.mitre.org/data/definitions/377.html
- CWE-379: Creation of Temporary File in Directory with Incorrect
Permissions -http://cwe.mitre.org/data/definitions/379.html
- CWE-378: Creation of Temporary File With Insecure Permissions -
http://cwe.mitre.org/data/definitions/378.html
I'm sure the situation has *not* improved since then.
Best regards
Javier
[1] Acting as member of Debian Security Audit Team [1]. A full list of
advisories at http://www.debian.org/security/audit/advisories
Reply to: