Package: guilt
Version: 0.27-1
Severity: critical
Tags: security
guilt makes extensive use of the '$$' shell variable for temporary
files in /tmp. This is a serious security vulnerability; on multi-user
systems it allows an attacker to clobber files with something like the
following:
for i in `seq 1 32768`; do
ln -sf /etc/passwd /tmp/guilt.log.$i;
done
(In this example, if root does e.g. 'guilt push', /etc/passwd will get
clobbered.)
Please use mktemp(1) to create temporary files.
For reference:
guilt-0.27$ grep '$$' *
guilt: $reject "$p" > /dev/null 2> /tmp/guilt.log.$$
guilt: rm -f /tmp/guilt.log.$$ /tmp/guilt.msg.\
$$
guilt: do_get_header "$p" > /tmp/guilt.msg.$$
guilt: [ ! -s /tmp/guilt.msg.$$ ] && echo "patch $pname" > /tmp/guilt.\
msg.$$
guilt: rm -f /tmp/guilt.msg.$$ /tmp/guilt.log.$$
guilt: do_get_full_header "$p" > /tmp/guilt.diff.$$
guilt: ) >> /tmp/guilt.diff.$$
guilt: git-diff $diffopts "$2" >> /tmp/guilt.diff.$$
guilt-header: do_get_full_header "$GUILT_DIR/$branch/$patch" > /tmp/guilt.msg\
.$$
guilt-header: do_get_patch "$GUILT_DIR/$branch/$patch" > /tmp/guilt.diff.$$
guilt-header: cat /tmp/guilt.msg.$$
guilt-header: cat /tmp/guilt.diff.$$
guilt-0.27$
Thanks,
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages guilt depends on:
ii git-core 1:1.5.3.3-1 fast, scalable, distributed revisi
guilt recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
