Opened 18 years ago
Closed 18 years ago
#69 closed defect (fixed)
bzdiff tempfile patch is bad
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | CLFS Sysroot 1.0.0 |
| Component: | BOOK | Version: | CLFS Sysroot 1.0.0 |
| Keywords: | security | Cc: |
Description
Without "tempfile", bzdiff creates files in /tmp with predictable names (because PIDs are not random). This allows for a symlink-based attack. Also, the "tempfile" program is installed anyway. Please remove the patch.
Change History (5)
comment:1 by , 18 years ago
comment:2 by , 18 years ago
From what I can tell the tempfile patch can be replaced with this sed:
sed -i "/tmp=/s/\`.*\`/\`mktemp\`/" bzdiff
which changes this line:
tmp=`tempfile -d /tmp -p bz` || {
to
tmp=`mktemp` || {
comment:4 by , 18 years ago
This patch of mine was accepted upstream.
http://www.linuxfromscratch.org/patches/downloads/bzip2/bzip2-1.0.3-remove_tempfile-1.patch
This removes tempfile and uses the same method that is used in gzip.
comment:5 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Closing this ticket as fixed. Jim's patch has been included in bzip2-1.0.4.
Note:
See TracTickets
for help on using tickets.
The idea is to remove the reference to tempfile because it is deprecated, and hopefully be able to remove the tempfile patch from the book. Actually, I am the one who originally suggested changing bzdiff, but my original idea was to do what was done in LFS - to simply use a sed to replace the tempfile reference with mktemp.