Hi,
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-01-27 20:32]:
> /usr/bin/comix, line 10494:
> # =======================================================
> # Create the temporary directory used in this Comix session.
> # The dir is /tmp/comix/<num> where <num> is 1 or higher
> # depending on the number of Comix sessions opened.
> # =======================================================
> if not os.path.exists('/tmp/comix/'):
> os.makedirs('/tmp/comix/')
> os.chmod('/tmp/comix/', 0700)
> dir_number = 1
> while 1:
> if not os.path.exists('/tmp/comix/' + str(dir_number)):
> os.mkdir('/tmp/comix/' + str(dir_number))
> os.chmod('/tmp/comix/' + str(dir_number), 0700)
> self.base_dir = '/tmp/comix/' + str(dir_number) + '/'
> break
> dir_number += 1
>
> Completely predictable filenames and chmodding after creation open this up
> for symlink attack.I just had a look at this issue and can not confirm what you said. Can you please come up with an exploit scenario? You are right, the directory names are predictable and there is of course a race condition between if not os.path.exists and the mkdir call. But if the name is a dangling symlink mkdir will fail because the file already exist. "chmodding after creation open this up for symlink attack." I also don't see why this should be true here, what would an attacker gain by that? I might be wrong but I don't see any action that is done with that directory that can be exploited via a symlink. Did you test this? Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpDBTWDhVrdm.pgp
Description: PGP signature
