[539] in linux-security and linux-alert archive
elvis
daemon@ATHENA.MIT.EDU (owner-linux-security@tarsier.cv.nr)
Tue Jan 2 13:03:04 1996
From: owner-linux-security@tarsier.cv.nrao.edu
Date: Tue, 2 Jan 1996 04:57:59 -0500 (EST)
To: linux-security@tarsier.cv.nrao.edu
Sometimes when you see a bug you are just too embarassed about it being there
to actually write an exploit for it...
>From the elvis source code tmp.c:
/* !!! RACE CONDITION HERE - some other process with the same PID could
* create the temp file between the access() call and the creat() call.
* This could happen in a couple of ways:
* - different workstation may share the same temp dir via NFS. Each
* workstation could have a process with the same number.
* - The DOS version may be running multiple times on the same physical
* machine in different virtual machines. The DOS pid number will
* be the same on all virtual machines.
*
* This race condition could be fixed by replacing access(tmpname, 0)
* with open(tmpname, O_CREAT|O_EXCL, 0600), if we could only be sure
* that open() *always* used modern UNIX semantics.
*/
Is there ANYBODY who looks at the code before it goes into Slackware???
