On Wed, 2 Jan 2008 22:08:45 +0100 "Roflek of TK53" <[EMAIL PROTECTED]> wrote:
> Simply generating very long filenames doesn't protect you from race > conditions and symlink attacks. Well, from a practical, naive point of > view that only considers what is easy to observe, it is. But since > security is a serious business, the race condition exists as long as > the code doesn't correctly check the existence of the target file. > Hint: atomicity is the keyword. Dear Rofl and Lol as in Lek, since you didn't bother to contact us before posting full disclosure we didn't have a chance for a technical discussion. I don't negate your points about O_EXCL etc. I don't negate the thesis in the subject either :-) What I really negate is the FUD you're making with your disclosures, some technical details, and the general pointless of making a storm in a teacup around issues which should be rather treated as regular bugs because their security significance is close to 0. -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 2 23:29:52 CET 2008 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
