Hi Hamish!

It seems that upstream fix for this issue is far from being ideal.

> TMP=`tempfile -d /tmp -p geo. -s .code`


> so calling this "fixed-upstream" and hoping that tempfile is somewhat
> portable beyond Debian.

Any particular reason for using Debian-specific tempfile, instead of
generally available mktemp?

Apart from the portability issues of the fix, the fix is not address
the flaw properly as well.  Even though TMP file (never used, IIRC) is
created in a secure way, all other temporary files are not (STYLE,
COORDS, OUTWAY, MAP for geo-code).  So when TMP is created, local user
can see its name and can create malicious symlinks
TMP.style, .coords, .way, .gif before script will attempt to use them
for the first time (or guess or brute-force TMP name in advance).  You
either have to create all temporary files using mktemp, or make TMP a
temporary directory (or dot-directory in user's home dir and you do not
have to care about creating it securely at all).

There are still few other issues in geo-nearest, like:

  cp "$GEOWAY" /tmp/geocaching.loc


  filter1="tee $TMP.page"
  filter2="tee $TMP.bulk"

See following bugs for the patch that is in preparation for Fedora


Tomas Hoger

Pkg-grass-devel mailing list

Reply via email to