Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)

To: Julian Gilbey <jdg@polya.uklinux.net>
Cc: 174987@bugs.debian.org
Subject: Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
From: Matt Zimmerman <mdz@debian.org>
Date: Sat, 4 Jan 2003 21:34:39 -0500
Message-id: <[🔎] 20030105023439.GG30199@mizar.alcor.net>
Reply-to: Matt Zimmerman <mdz@debian.org>, 174987@bugs.debian.org
In-reply-to: <[🔎] 20030105023000.GE3960@polya>
References: <[🔎] 20030103090045.GA1533@polya> <[🔎] 20030103155705.GB17378@mizar.alcor.net> <[🔎] 20030104222009.GB813@polya> <[🔎] 20030105014218.GF30199@mizar.alcor.net> <[🔎] 20030105023000.GE3960@polya>

On Sun, Jan 05, 2003 at 02:30:00AM +0000, Julian Gilbey wrote:

> On Sat, Jan 04, 2003 at 08:42:18PM -0500, Matt Zimmerman wrote:
> > On Sat, Jan 04, 2003 at 10:20:09PM +0000, Julian Gilbey wrote:
> > 
> > > The woody version uses a shell script with the tempfile command.  The
> > > code is essentially:
> > > 
> > >   tmp=`tempfile ...`
> > >   zcat ... > $tmp
> > > 
> > > I don't know whether tempfile is careful to check for the safety of
> > > the directory more thoroughly than perl's File::Temp or not; if this
> > > is not safe, then we have some serious problems pretty much everywhere
> > > where tempfile is likely to be used.
> > 
> > tempfile is safe, because it creates the file in a secure manner before
> > returning the filename.
> 
> The point, though, is: once the file has been created, a symlink
> attack can be used if the directory is world-writeable (with no sticky
> bit set).  Does tempfile only create files in "safe" directories?

man tempfile:

       The directory to place the file is searched for in the following order:

       a)     The directory specified by the environment variable  TMPDIR,  if
              it is writable.

       b)     The directory specified by the --directory argument, if given.

       c)     The directory /tmp.


-- 
 - mdz

Reply to:

Follow-Ups:
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Julian Gilbey <jdg@polya.uklinux.net>

References:
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Julian Gilbey <jdg@polya.uklinux.net>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Julian Gilbey <jdg@polya.uklinux.net>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
  - From: Julian Gilbey <jdg@polya.uklinux.net>

Prev by Date: Bug#175342: acknowledged by developer (Re: Bug#175342: Can't use URW Nimbus fonts at all)
Next by Date: CVS kohda tetex-bin: removed ctanglie.1 cweave.1 mf-nowin.1 from dh_undocumented entries
Previous by thread: Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
Next by thread: Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
Index(es):
- Date
- Thread