Hi! On Sat, Jun 16, 2007 at 02:15:13AM +0200, Javier Fernández-Sanguino Peña wrote: > Package: po4a > Version: 0.29-1 > Severity: grave > Tags: security patch > > If you run po4a-gettextize on contents that do not get converted to PO files > due to some issue, the script will dump its results in > /tmp/gettextization.failed.po. > > The script uses a file in the /tmp diretory but does not try to prevent a > symlink attack. A malicious user could create a symlink named liked that in > the temporary directory and pointing to one of the user's files so that when > a user runs po4-gettextize (and fails) the file the symlink pointed to would > get overwritten. > > The fix is, IMHO, simple: just dump the results in the local directory, don't > use /tmp at all (it is, after all, unnecesary). The attached patch to > /usr/share/perl5/Locale/Po4a/Po.pm fixes this issue.
I don't want to reopen this bug but why is it OK to omit /tmp? The code is still vulnerable. Just assume po4a is started in /tmp or in another directory where an attcker has write access and the problem remains ... I agree that it is unlikely but I often work in /tmp to handle translations ... Jens
