Package: mutt
Version: 1.5.23-3
Tags: security

This is how smime_keys creates temporary files:

       my $file = sprintf( '/tmp/smime-%d.%d', $$, int(rand( 999999 ) ) );
       print STDERR "TMPFILE: $file\n";
       if ( -e $file ) {
           die( "ERROR: TMPFILE $file existss?!?!" );
       }
       open OUT, ">$file";
       print OUT $cert;
       close OUT;


The filename is not very random (just ~20 bits of entropy, because pids are predictable); and there's a race window between the check of the file existence and the file creation, in which a local attacker could create the file.

Please use the File::Temp module for securely creating temporary files. (Or maybe use pipes, instead of temporary files, for communicating with openssl.)

--
Jakub Wilk


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to