Hi again,
I'm sorry, my previous patch didn't check mktemp's return value, and if
mktemp fails, DIR is empty and [ -d $DIR ] succeeds (for whatever
reason). So this is still exploitable if fbgs is executed in a dir the
attacker has write access to.
Attached a new version which might be correct. :/
Jan
diff -ru fbida-2.01.orig/fbgs fbida-2.01/fbgs
--- fbida-2.01.orig/fbgs 2004-03-28 13:32:16.000000000 +0200
+++ fbida-2.01/fbgs 2006-04-08 02:49:37.000000000 +0200
@@ -1,8 +1,8 @@
#!/bin/bash
# tmp dir
-DIR="${TMPDIR-/var/tmp}/fbps-$$"
-mkdir -p $DIR || exit 1
+DIR=`mktemp -dt fbgs-XXXXXX`
+[ $? -eq 0 ] || exit 1
trap "rm -rf $DIR" EXIT
# parse options