Hi, > On Tue, Aug 04, 2009 at 07:14:21PM +0200, Florian Zumbiehl wrote: > > > * Upstream has also fixed createOutputFile to be more secure > > > (Closes: #388608) > > > > Whatever supposedly has been made "more secure" there, this bug rather > > obviously hasn't been fixed. > > Did you read the source?
Well, otherwise I probably wouldn't have reopened the bug? > It's been changed to do: > > open() > chmod(restricted) > chown() > chmod(intended) > > which does fix the bug, I believe. To quote the first paragraph of my bug report: | I'd argue that there is a race condition in there: If sb.st_mode | includes group permissions, this could (given the appropriate umask) | grant these permissions to the effective group of the creating process | in the moment of file creation. The old code: | open(compressedName, O_RDWR | O_CREAT | O_TRUNC, sb.st_mode) The new code: | int createOutputFile(char *fileName, int flags, struct stat *sb) [...] | open(fileName, flags, sb->st_mode) [...] | createOutputFile(compressedName, O_RDWR | O_CREAT | O_TRUNC, sb) Now, where is the semantic change that could possibly have fixed this bug? Florian -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
