Tomas Hoger wrote:
> It seems that upstream fix for this issue is far from being
> ideal.
> 
> > TMP=`tempfile -d /tmp -p geo. -s .code`
> 
> [...]
> 
> > so calling this "fixed-upstream" and hoping that tempfile is somewhat
> > portable beyond Debian.
> 
> Any particular reason for using Debian-specific tempfile, instead of
> generally available mktemp?

just pure ignorance of non-Debian things on my part, and cluttered web
search results.

 
> Apart from the portability issues of the fix,

[easily fixed]

> the fix is not address the flaw properly as well.  Even though TMP file
> (never used, IIRC) is created in a secure way, all other temporary files
> are not (STYLE, COORDS, OUTWAY, MAP for geo-code).  So when TMP is
> created, local user can see its name and can create malicious symlinks
> TMP.style, .coords, .way, .gif before script will attempt to use them
> for the first time (or guess or brute-force TMP name in advance).

ok, race condition...


> You either have to create all temporary files using mktemp, or make TMP
> a temporary directory

e.g. as earlier:
tmp="/tmp/geo-code.$$"
(umask 077 && mkdir "$tmp") || {
    echo "Cannot create temporary directory! Exiting." 1>&2
    exit 1
}

> (or dot-directory in user's home dir and you do not have to care about
> creating it securely at all).

but then you need to be more pedantic about cleanup,

 
> There are still few other issues in geo-nearest, like:

ok, well those scripts are now removed in upstream SVN r2204 so it's a
moot point. they were old contrib stuff far outside the purpose of the
main program....
it's safe to remove them in the pre4 packaging.


> See following bugs for the patch that is in preparation for
> Fedora packages:
> 
>   https://bugzilla.redhat.com/show_bug.cgi?id=470241
>   https://bugzilla.redhat.com/show_bug.cgi?id=475478

thanks for the tips, it is always good to learn how to do these things
more properly. I do wish people would take the time to push these
patches/bug reports upstream instead of 3 teams doing the same work... :)


regards,
Hamish



      




_______________________________________________
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

Reply via email to