[Pkg-kde-bugs-fwd] [Bug 101440] New: Unsafe use of temporary file in dcopidlng script

Debian KDE Maintainers 101440@bugs.kde.org
13 Mar 2005 19:06:43 -0000 

------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
         
http://bugs.kde.org/show_bug.cgi?id=101440         
           Summary: Unsafe use of temporary file in dcopidlng script
           Product: dcop
           Version: unspecified
          Platform: Debian testing
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
        AssignedTo: bastian kde org
        ReportedBy: pkg-kde-bugs-fwd lists alioth debian org


Version:            (using KDE KDE 3.4.0)
Installed from:    Debian testing/unstable Packages
OS:                Linux

The following was posted to Debian as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298533 by Javier Fernández-Sanguino Peña <jfs computer org>  It would be nice if KDE included this fix (attached), which applies to the latest code:

---
Reviewing the Gentoo advisory GLSA 200503-14 [0] which refers to
CAN-2005-0365 I've checked out to see if our dcopidlng script was
vulnerable to the symlink attack found by Davide Madrisan even though it 
does not use /tmp.

It seems ours is not because the temporary file is 
created in the local directory (instead of in /tmp) directly, however, the 
creation does provide a way for a race condition.

I think the attached patch is a better fix for this issue than the one 
provided by Gentoo [1]. There are several bugs in Gentoo's fix:

1- The file is removed twice (once in the trap and once at the end of the 
fix)
2- Leaving temporary files in the home directory might not be good. Mktemp 
-t is better since users can set their TMPDIR environment variable to point 
to "/home/user/tmp" if they want to, but users without a home directory 
(think chroot) will work in any case (failsback to /tmp)
3- The temporafy file is still being create in an unsafe way (but in a safe 
directory), mktemp does this better

So, please use the attached patch (and maybe forward it upstream) for a 
next release.

[0] http://www.gentoo.org/security/en/glsa/glsa-200503-14.xml
[1] http://bugs.gentoo.org/attachment.cgi?id=51120&action=view
---