Opened 17 years ago
Closed 16 years ago
#69 closed defect (fixed)
bzdiff tempfile patch is bad
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | CLFS Sysroot 1.0.0 |
| Component: | BOOK | Version: | CLFS Sysroot 1.0.0 |
| Keywords: | security | Cc: |
Description
Without "tempfile", bzdiff creates files in /tmp with predictable names (because PIDs are not random). This allows for a symlink-based attack. Also, the "tempfile" program is installed anyway. Please remove the patch.
Change History (5)
comment:1 Changed 17 years ago by
comment:2 Changed 17 years ago by
From what I can tell the tempfile patch can be replaced with this sed:
sed -i "/tmp=/s/\`.*\`/\`mktemp\`/" bzdiff
which changes this line:
tmp=`tempfile -d /tmp -p bz` || {
to
tmp=`mktemp` || {
comment:4 Changed 17 years ago by
This patch of mine was accepted upstream.
http://www.linuxfromscratch.org/patches/downloads/bzip2/bzip2-1.0.3-remove_tempfile-1.patch
This removes tempfile and uses the same method that is used in gzip.
comment:5 Changed 16 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Closing this ticket as fixed. Jim's patch has been included in bzip2-1.0.4.
Note: See
TracTickets for help on using
tickets.
The idea is to remove the reference to tempfile because it is deprecated, and hopefully be able to remove the tempfile patch from the book. Actually, I am the one who originally suggested changing bzdiff, but my original idea was to do what was done in LFS - to simply use a sed to replace the tempfile reference with mktemp.