[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2010-2061 and CVE-2010-2064


I am looking at those issues that are related, see:


The first one is marked as "fixed" here:


However, the second one is marked as "undetermined" here:


I looked at the code in warmstart.c and found that rpcbind uses fopen()
to open XDR files in /tmp and then the xdrstdio_create() function that
reuses the file descriptor returned by fopen().

Fixing CVE-2010-2064 would require to use open() and the some flags
instead of fopen() since there is no way to detect a symlink with

It would then be impossible (or at least difficult) to use the xdr*()
functions with the file descriptor returned by open().

Therefore fixing CVE-2010-2064 would require large changes which are
outside the scope of a simple security fix.

The proposed workaround to use XDR files in /var/run instead of /tmp is
therefore a simple and effective fix and is IMHO opinion sufficient to
also fix CVE-2010-2064.

BTW, the fix for CVE-2010-2061 could have been done with defensive
coding (checking the UID of files) but has been done with a simple
directory change.

Laurent Bonnaud.

Reply to: