Hi again,
I'm sorry, my previous patch didn't check mktemp's return value, and if
mktemp fails, DIR is empty and [ -d $DIR ] succeeds (for whatever
reason). So this is still exploitable if fbgs is executed in a dir the
attacker has write access to.
Attached a new version which might be correct. :/
Jan Braun wrote:
> Package: fbi
> Version: 2.01-1.4
> Severity: important
> Tags: security patch
Sorry for the late reply, an update is in preparation.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Florian Weimer schrob:
> * Jan Braun:
>
> > # tmp dir
> > -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> > -mkdir -p $DIR || exit 1
> > +DIR=`mktemp -dtp /var/tmp fbgs-XX`
> > +[ -d $DIR ] || exit 1
>
> I think you should use /tmp. /var/tmp is not cleared on reboot.
You are right. I just kept t
* Jan Braun:
> # tmp dir
> -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> -mkdir -p $DIR|| exit 1
> +DIR=`mktemp -dtp /var/tmp fbgs-XX`
> +[ -d $DIR ] || exit 1
I think you should use /tmp. /var/tmp is not cleared on reboot.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "
Package: fbi
Version: 2.01-1.4
Severity: important
Tags: security patch
Hi,
the fbgs script uses an unsafe way to create its tempdir:
mkdir -p /var/tmp/fbps-$$
and proceeds to write to fixed filenames in this folder.
This can be raced to overwrite arbitrary files of the user running fbgs.
A patch
5 matches
Mail list logo
