Hi, > > The attached patch to vorbis.c changes the temporary file naming scheme > > to use the name of the Ogg file with ".vgain.tmp" appended. > > I'm not a security crack, but to me this sounds like a bad idea as with > this we have predictable temporary filenames, which could give an attack > vector to an attacker. > > Wouldn't it make sense to use a secure tmp file name instead?
I am not one either, but I have thought about this when writing this
patch, and I decided against it, for three reasons:
1) The current version has this exact vulnerability (if it is one) to an
even greater extent, so I would not be adding a new vulnerability --- if
it's a vulnerability, it should be filed as a separate bug, and fixed by
someone who understands it better than I do.
2) My understanding is that the predictable temporary filenames are
mainly a problem when the temporary file is created in a directory to
which many users have write access, like /tmp. In the case of this
program, the temporary directory is the directory that contains the
original Ogg file --- likely the user's , so if an attacker is in a
position to take advantage of the predictable temporary filename, the
attacker wouldn't need the predictable temporary filename to cause harm.
3) This bug causes unpredictable data loss, and since many users now
have multicore systems and may thus be tempted to run multiple instances
of vorbisgain in parallel, the bug should be fixed as quickly as
possible.
Best,
Pavel Krivitsky
signature.asc
Description: This is a digitally signed message part
