On Wed, Jan 19, 2005 at 01:42:32PM -0500, Joey Hess wrote: > I don't understand how these bugs can be exploited. Both programs > contain code like this:
You are right, I didn't notice the -e. However The fixps script also has: fixps_sed=$tmpdir/fixps.sed (...) file=$tmpdir/stdin.ps cat >$file (...) : >$fixps_sed (...) Similar code is found in psmandup. The umask is not properly defined to avoid symlink attacks, a user just has to check when a temporary directory is created and create those files before they are used. You could argue that a script should not protect user's with insecure umasks, but the standard way of creating temporary directories is by first setting a 077 umask, and mktemp honors that (BTW the "we don't protect users with unsafe umasks has been discussed in other similar bug reports") I rather see all scripts in Debian using either mktemp and tempfile instead of $$ for temporary files, it will make it much easier to do source code auditing for this same bug in the future. Regards Javier
signature.asc
Description: Digital signature
