[11488] in bugtraq
Re: Insecure use of file in /tmp by trn
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Sun Aug 22 21:02:36 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199908211547.RAA01512@cave.BitWizard.nl>
Date: Sat, 21 Aug 1999 17:47:37 +0200
Reply-To: Rogier Wolff <R.E.Wolff@BITWIZARD.NL>
From: Rogier Wolff <R.E.Wolff@BITWIZARD.NL>
X-To: joey@infodrom.north.de
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990819214215.J28824@finlandia.infodrom.north.de> from Martin
Schulze at "Aug 19, 99 09:42:15 pm"
Martin Schulze wrote:
> This was not intentional by the author, he tried to use tempfile(1) to
> create the temporary filename. However, due to a thinko, the name was
> hardcoded into the script.
[...]
> +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"
So now you're using tempfile? This usually yields an easily
predictable filename, for which the same exploits hold. Just keep an
eye out for the last PID issued, and OK, this time you might need to
flip a link (provided that tempfile indeed refuses to return a file
that is currently symlinked.)
Roger.
--
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------
