The thing is that an attacker shouldn't succeed every time, but he wants to succeed only once (defender's task is never ever allow anybody to do it). He may naively try to create & delete symlink in a loop or do some nontrivial steps to make the system scheduler to stop conky process exactly (ideally for an attacker) between stat and open calls. He may know scheduler heuristics (when it might change the running task) or even try to exploit another vulnerability, e.g. if he gains CAP_SYS_NICE then he may controll scheduler's behavior rather well. It's better not to think about the cases, but just safely use temp files (or not even use them at all - it's even better :-)).
Also please look at my patch at http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=612033, I tried to make it small. Thanks, Vasiliy. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/607309 Title: vulnerability: rewrite arbitrary user file -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
