CVE-2010-2061 and CVE-2010-2064
I am looking at those issues that are related, see:
The first one is marked as "fixed" here:
However, the second one is marked as "undetermined" here:
I looked at the code in warmstart.c and found that rpcbind uses fopen()
to open XDR files in /tmp and then the xdrstdio_create() function that
reuses the file descriptor returned by fopen().
Fixing CVE-2010-2064 would require to use open() and the some flags
instead of fopen() since there is no way to detect a symlink with
It would then be impossible (or at least difficult) to use the xdr*()
functions with the file descriptor returned by open().
Therefore fixing CVE-2010-2064 would require large changes which are
outside the scope of a simple security fix.
The proposed workaround to use XDR files in /var/run instead of /tmp is
therefore a simple and effective fix and is IMHO opinion sufficient to
also fix CVE-2010-2064.
BTW, the fix for CVE-2010-2061 could have been done with defensive
coding (checking the UID of files) but has been done with a simple