Ticket #69 (closed defect: fixed)

Opened 11 years ago

Last modified 11 years ago

bzdiff tempfile patch is bad

Reported by: alexander@… Owned by: clfs-commits@…
Priority: major Milestone: CLFS Sysroot 1.0.0
Component: BOOK Version: CLFS Sysroot 1.0.0
Keywords: security Cc:

Description

Without "tempfile", bzdiff creates files in /tmp with predictable names (because PIDs are not random). This allows for a symlink-based attack. Also, the "tempfile" program is installed anyway. Please remove the patch.

Change History

comment:1 Changed 11 years ago by chris@…

The idea is to remove the reference to tempfile because it is deprecated, and hopefully be able to remove the tempfile patch from the book. Actually, I am the one who originally suggested changing bzdiff, but my original idea was to do what was done in LFS - to simply use a sed to replace the tempfile reference with mktemp.

comment:2 Changed 11 years ago by jciccone

From what I can tell the tempfile patch can be replaced with this sed:

sed -i "/tmp=/s/\`.*\`/\`mktemp\`/" bzdiff

which changes this line:

tmp=`tempfile -d /tmp -p bz` || {

to

tmp=`mktemp` || {

comment:3 Changed 11 years ago by chris@…

Yeah, I think that's what we should do.

comment:4 Changed 11 years ago by jim

This patch of mine was accepted upstream.

 http://www.linuxfromscratch.org/patches/downloads/bzip2/bzip2-1.0.3-remove_tempfile-1.patch

This removes tempfile and uses the same method that is used in gzip.

comment:5 Changed 11 years ago by jciccone

  • Status changed from new to closed
  • Resolution set to fixed

Closing this ticket as fixed. Jim's patch has been included in bzip2-1.0.4.

Note: See TracTickets for help on using tickets.