Hi Martin Schulze schrieb: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3146 > > seems fixed by the newly introduced checkDelSymlink() function, > > which was added to ten different places in the code (not all of which > > might be security sensitive, but at least two operate directly > > on temporary files). > > This does not eliminate the vulnerability but only shortens the vulnerable > window. An attacker can still re-create the link between the unlink() > and the open() calls. The proper action would be to use File::Temp > or something similar.
Though the whole passing around temporary file names and reopening them in another function seems broken to me, see -outRandom and others. Searching for uses of $tmpdir in StoreBackup.pl and reveals a dozend or so places where filenames in /tmp are passed to functions which then open them writable without any checks (though with randomized suffixes). Some of these files are then opened again later. I'm not competent on this whole tempfile race issue but I don't like this. I'm now building a 1.18 package for stable with your fixes, one day I have to replace the filename passing stuff by filehandle passing, but this will happen in a current version. Shall I build a deb with your patches for you? regards, 2ri -- Secure email, spread GPG, clearsign all mail. http://www.gnupg.org . Reality is that which, when you stop believing in it, doesn't go away. -- Philip K. Dick
signature.asc
Description: Digital signature
