[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nano-devel] [PATCH 2/2] use futimens() if available, instead of uti
From: |
Kamil Dudka |
Subject: |
Re: [Nano-devel] [PATCH 2/2] use futimens() if available, instead of utime() |
Date: |
Sun, 28 Nov 2010 21:13:38 +0100 |
User-agent: |
KMail/1.9.10 |
On Thursday 19 August 2010 15:34:12 Kamil Dudka wrote:
> Hello,
>
> the attached patch eliminates a race condition on the call of utime()
> on systems that have futimens(). In the current code, there is a similar
> flaw as described in CVE-2010-1161. Though it's not possible to change
> the ownership of the backup file using a symlink attack, it's still
> possible to change it's atime/mtime. With the patch applied, there is no
> such problem as long as futimens() is available during the build time.
>
> Thanks in advance for considering the patch!
Please find the updated version of the patch. The original version contained
a bug that caused futimens() to operate on invalid file descriptor. A proper
fix would be probably to rewrite copy_file() such that it does not close the
given streams. Is such a change welcome?
> Kamil
0002-use-futimens-if-available-instead-of-utime.patch
Description: Text Data
- Re: [Nano-devel] [PATCH 2/2] use futimens() if available, instead of utime(),
Kamil Dudka <=