On Wed, Jan 22, 2014 at 08:47:22PM +0100, Tino Mettler wrote: > On Wed, Jan 22, 2014 at 19:09:24 +0100, Helmut Grohne wrote: > > Package: syncevolution > > Version: 1.0+ds1~beta2a-2 > > Severity: important > > Tags: security > > > > Dear Maintainer, > > > > Your package contains a funny tmp file vulnerability. > > > > $ grep 'mktemp`\.' -r . > > ./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx > > ./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o > > $ > > > > Both of them are doing it wrong. They create a secure tempfile, but don't > > use it and instead generate a (now) predictable(!) name without opening > > it in a safe (O_CREAT) way. > > Hi, > > could you point out in more detail what is wrong here, and how it > should be done right?
Sorry for having assumed this obvious. So what happens when you create a temporary file like is being done in syncevolution TMPFILE=`mktemp`.suffix is that a temporary file is securely made, but then you don't use it and instead base your temporary filename on the secure temporary file. You later write to it without using O_CREAT thus leading to the issue. Ideally you don't manipulate the filename after the fact, so you need to have the desired suffix incorporate into the creation process. Luckily mktemp provides a mechanism for that: --suffix. So the correct solution is: TMPFILE=`mktemp --suffix .suffix` Now the desired file is created by mktemp and when you write to it using other tools, it already is known to be owned by the relevant user. Hope this helps Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
