Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
On Sun, Jan 05, 2003 at 02:30:00AM +0000, Julian Gilbey wrote:
> On Sat, Jan 04, 2003 at 08:42:18PM -0500, Matt Zimmerman wrote:
> > On Sat, Jan 04, 2003 at 10:20:09PM +0000, Julian Gilbey wrote:
> >
> > > The woody version uses a shell script with the tempfile command. The
> > > code is essentially:
> > >
> > > tmp=`tempfile ...`
> > > zcat ... > $tmp
> > >
> > > I don't know whether tempfile is careful to check for the safety of
> > > the directory more thoroughly than perl's File::Temp or not; if this
> > > is not safe, then we have some serious problems pretty much everywhere
> > > where tempfile is likely to be used.
> >
> > tempfile is safe, because it creates the file in a secure manner before
> > returning the filename.
>
> The point, though, is: once the file has been created, a symlink
> attack can be used if the directory is world-writeable (with no sticky
> bit set). Does tempfile only create files in "safe" directories?
man tempfile:
The directory to place the file is searched for in the following order:
a) The directory specified by the environment variable TMPDIR, if
it is writable.
b) The directory specified by the --directory argument, if given.
c) The directory /tmp.
--
- mdz
Reply to: