On Sun, 4 Sep 2011 19:26:47 -0500 Jonathan Nieder wrote: > (-cc: bug#640389; +cc: bug#635849) > > Michael Gilbert wrote: > > Jonathan Nieder wrote: > > >> [1] The crux in bug #635849 is that if the user is allowed to > >> influence TMPDIR or the template argument then the filename returned > >> by tempfile and mktemp cannot be trusted not to contain shell > >> metacharacters; but properly quoting all variables is already good > >> policy in shell scripts anyway. > [...] > > OK, but I'm still not convinced that there's a case where an attacker > > has control over TMPFILE and yet wouldn't be able to do other bad > > things anyway. So what scenario are we actually trying to prevent here, > > or is this just an academic concern? > > The underescaping is the original (and only) bug. In my original > message, I mentioned a malicious or incompetent user having control of > the TMPDIR envvar; I actually think incompetent is more likely than > malicious and that neither is too likely. > > I'm not suggesting an extra security advisory or anything. My actual > concern was and is that people reading and writing scripts use good > habits (rather than using fragile workarounds that leave the script's > behavior hard to understand). I don't think that's academic.
OK, your messages in #635849 seemed to indicate a real security flaw remained (i.e. the "vaguely vulnerable" statement). Since that isn't really the case, I'm closing the new bug in debianutils I just opened. I will still clean up the escaping in the xpdf script, but I'm not treating that with any urgency. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
