Tomas Hoger wrote:
> It seems that upstream fix for this issue is far from being
> ideal.
> > TMP=`tempfile -d /tmp -p geo. -s .code`
> [...]
> > so calling this "fixed-upstream" and hoping that tempfile is somewhat
> > portable beyond Debian.
> Any particular reason for using Debian-specific tempfile, instead of
> generally available mktemp?

just pure ignorance of non-Debian things on my part, and cluttered web
search results.

> Apart from the portability issues of the fix,

[easily fixed]

> the fix is not address the flaw properly as well.  Even though TMP file
> (never used, IIRC) is created in a secure way, all other temporary files
> are not (STYLE, COORDS, OUTWAY, MAP for geo-code).  So when TMP is
> created, local user can see its name and can create malicious symlinks
>, .coords, .way, .gif before script will attempt to use them
> for the first time (or guess or brute-force TMP name in advance).

ok, race condition...

> You either have to create all temporary files using mktemp, or make TMP
> a temporary directory

e.g. as earlier:
(umask 077 && mkdir "$tmp") || {
    echo "Cannot create temporary directory! Exiting." 1>&2
    exit 1

> (or dot-directory in user's home dir and you do not have to care about
> creating it securely at all).

but then you need to be more pedantic about cleanup,

> There are still few other issues in geo-nearest, like:

ok, well those scripts are now removed in upstream SVN r2204 so it's a
moot point. they were old contrib stuff far outside the purpose of the
main program....
it's safe to remove them in the pre4 packaging.

> See following bugs for the patch that is in preparation for
> Fedora packages:

thanks for the tips, it is always good to learn how to do these things
more properly. I do wish people would take the time to push these
patches/bug reports upstream instead of 3 teams doing the same work... :)



Pkg-grass-devel mailing list

Reply via email to