Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
On Sat, Jan 04, 2003 at 08:42:18PM -0500, Matt Zimmerman wrote:
> On Sat, Jan 04, 2003 at 10:20:09PM +0000, Julian Gilbey wrote:
>
> > The woody version uses a shell script with the tempfile command. The
> > code is essentially:
> >
> > tmp=`tempfile ...`
> > zcat ... > $tmp
> >
> > I don't know whether tempfile is careful to check for the safety of
> > the directory more thoroughly than perl's File::Temp or not; if this
> > is not safe, then we have some serious problems pretty much everywhere
> > where tempfile is likely to be used.
>
> tempfile is safe, because it creates the file in a secure manner before
> returning the filename.
The point, though, is: once the file has been created, a symlink
attack can be used if the directory is world-writeable (with no sticky
bit set). Does tempfile only create files in "safe" directories?
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, website: http://www.polya.uklinux.net/
Debian GNU/Linux Developer, see: http://people.debian.org/~jdg/
Visit http://www.thehungersite.com/ to help feed the hungry
Reply to: