[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#508111: devscripts: Insecure tempfile creation (redux).

Nico Golde wrote, Mon, 8 Dec 2008 11:25:36 +0100:
Nico Golde wrote, Monday, December 08, 2008 8:36 AM:
>No this is correct, devscripts is vulnerable to
>a symlink attack before the fix (for example signfile()).
Just had a look again at this issue. It should be no
real problem as mktemp creates the file with safe
permissions, so this can't be used to overwrite an
arbitrary file. Though mktemp is stuck in an endless
loop if there is already a symlink present with the
template name.

Thanks. In that case, I don't think this needs any RM action; apologies for the noise.

Reply to: