2007/11/20, Kees Cook <[EMAIL PROTECTED]>: > As far as I can tell, the filters are spawned directly from tracker, so > they share the current working directory. When I looked at the tracker > running in my session, its directory was my home directory. The code > from one of the filters reads: > > st=/tmp/tempfile.$$ > nice -n19 ssindex -i "$1" > st > > Using "st" there instead of "$st" means that the file "st" will be > overwritten in the current directory, which, I think in this case is the > user's home directory. So, in this case, only msword_filter is actually > vulnerable to tempfile races (the others just clobber "st"). > > I don't have a proof-of-concept for this, I was just doing some code > reading.
Using "st" instead of "$st" is obviously a typo. Nonetheless, the usage of /tmp/tempfile.$$ is generaly discouraged from a security pov. http://www.linuxsecurity.com/content/view/115462/151/ recommends to use "mktemp" for creating secure temp files. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? -- unsafe tempfile usage https://bugs.launchpad.net/bugs/164148 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
