Version: (using KDE KDE 3.3.2) Installed from: Compiled From Sources Compiler: gcc (GCC) 3.4.3 OS: Linux the script kdelibs-3.3.2/dcop/dcopidlng/dcopidlng creates temporary files with names created in a unsecure manner (a fixed name with the process ID ($$) at the end).
Created attachment 9205 [details] A patch that uses mktemp
Am Freitag 21 Januar 2005 17:30 schrieb Davide Madrisan: > ------- Additional Comments From davide.madrisan qilinux it 2005-01-21 > 17:30 ------- Created an attachment (id=9205) > --> (http://bugs.kde.org/attachment.cgi?id=9205&action=view) > A patch that uses mktemp Unfortunately mktemp is not portable, but there is no reason the file has to be in /tmp Greetings, Stephan
CVS commit by coolo: don't create guessable files in /tmp BUG: 97608 M +5 -3 dcopidlng 1.7 --- kdelibs/dcop/dcopidlng/dcopidlng #1.6:1.7 @@ -1,13 +1,15 @@ #!/bin/sh + +trap "rm -f dcopidlng.stderr.$$" + if test -z "$KDECONFIG"; then KDECONFIG=kde-config fi LIBDIR="`$KDECONFIG --install data --expandvars`/dcopidlng" -perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2>/tmp/dcopidlng.stderr.$$ +perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> dcopidlng.stderr.$$ RET=$? if [ $RET -ne 0 ] then - cat /tmp/dcopidlng.stderr.$$ >&2 + cat dcopidlng.stderr.$$ >&2 fi -rm /tmp/dcopidlng.stderr.$$ exit $RET
coolo: How this can be more secure? The file name pattern is still predictable. Also, does the perl command emits output on stdout normally? If not, get rid of the temporary file file handling and put exit $? at the end instead.
but the file name is not in a global directory, so the file name being predictable doesn't matter as only the user can write there.
In http://bugs.gentoo.org/show_bug.cgi?id=81652 Tavis Ormandy pointed out: >The fix suggested upstream does not look acceptable, it doesnt solve the issue >of predicatable temp files (what if the user executes the script in /tmp?), and >it would break if the user ran the script with a working directory they dont >have write permissions to. I think he's right.
If the user compiles KDE in /tmp there are tons more of predictable files created - like tons of .o files, config.status, etc. I don't see the point. And these files do not even predictable names but fixed names. So you better make your users aware not to call random things when being in /tmp.