Package: 9base
Version: 1:6-6
Severity: important
Tags: security
Murray McAllister from Red Hat Security Response Team discovered that rc
creates temporary files in an insecure way:
$ strace -o '| grep /tmp' ./test-heredoc
open("/tmp/here217f.0000", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 5
open("/tmp/here217f.0000", O_RDONLY|O_LARGEFILE) = 5
moo
unlink("/tmp/here217f.0000") = 0
As you can see, the filenames are easily predictable, and the O_EXCL
flag is missing.
--
Jakub Wilk
#!/usr/lib/plan9/bin/rc
cat << EOF
moo
EOF