[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gnats/52: send-pr is vulnerable to symlink attacks
From: |
phil+gnats |
Subject: |
gnats/52: send-pr is vulnerable to symlink attacks |
Date: |
4 Mar 2000 09:57:28 -0000 |
>Number: 52
>Category: gnats
>Synopsis: send-pr is vulnerable to symlink attacks
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: unassigned
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Mar 04 02:04:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Phil Homewood
>Release: send-pr claims v3.2; code inspection indicates 3.112 also
>vulnerable.
>Organization:
>Environment:
FreeBSD 3.4-STABLE
>Description:
send-pr overwrites predictably named files in /tmp (unless
TMPDIR is set.)
>How-To-Repeat:
symlink /tmp/p$$ to something interesting for a range of
values of $$, run send-pr (or sit back and wait for victim
to run it if you're evil.) Observe overwritten target file.
>Fix:
Use mktemp(1) on systems that support it, else do the
usual create-temp-directory-carefully magic.
>Release-Note:
>Audit-Trail:
>Unformatted:
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- gnats/52: send-pr is vulnerable to symlink attacks,
phil+gnats <=