tags 496419 confirmed thanks Hi,
A simple grep revealed a lot of tempfile issues here, see below. As far as I
understand it, the code runs as root. This makes the issue quite serious.
Please make sure this is fixed before lenny is released.
As several different temp files are used insecurely, it may be better to
create a separate, private working directory for the program where it may
store all those files at will.
cheers,
Thijs
./config-scripts/xen-3.2/configure-xend.sh: cat <<EOF > /tmp/open_ssl.res
./config-scripts/xen-3.2/configure-xend.sh: $OPENSSL req -new -key
$KEY -out $CSR < /tmp/open_ssl.res
./config-scripts/xen-3.2/configure-xend.sh: rm /tmp/open_ssl.res
./config-scripts/xen-3.1/configure-xend.sh: cat <<EOF > /tmp/open_ssl.res
./config-scripts/xen-3.1/configure-xend.sh: $OPENSSL req -new -key
$KEY -out $CSR < /tmp/open_ssl.res
./config-scripts/xen-3.1/configure-xend.sh: rm /tmp/open_ssl.res
./src/utils.py: updates_file = "/tmp/updates.xml"
./src/utils.py:
dir="/tmp")
./src/utils.py: TEST_CONFIGFILE = '/tmp/convirt.conf'
./src/XenNode.py: dom_config.save("/tmp/test_config")
./src/XenNode.py: newcfg.set_filename("/tmp/Txx")
./src/XenNode.py: f = managed_node.node_proxy.open("/tmp/Txx")
./src/XenNode.py: print "### read config from /etc/xen/auto and write them
to /tmp"
./src/XenNode.py: d.save("/tmp/" + f)
./src/NodeProxy.py: node.put("/tmp/send", "/tmp/send_r")
./src/NodeProxy.py: node.get("/tmp/send_r", "/tmp/received")
./src/NodeProxy.py: fd = node.open('/tmp/test_writable','w')
./src/NodeProxy.py:
print 'exists?: ',node.file_exists('/tmp/test_writable')
./src/NodeProxy.py: print 'isWritable?: ',
node.file_is_writable('/tmp/test_writable')
./src/NodeProxy.py: node.remove('/tmp/test_writable')
./src/NodeProxy.py: print 'exists?: ',
node.file_exists('/tmp/test_writable')
./src/NodeProxy.py: node.mkdir("/tmp/node_test")
./src/NodeProxy.py: w = node.open("/tmp/node_test/test", "w")
./src/NodeProxy.py: r = node.open("/tmp/node_test/test")
./src/NodeProxy.py: node.remove("/tmp/node_test/test")
./src/NodeProxy.py: node.rmdir("/tmp/node_test")
./src/NodeProxy.py: output,code = node.exec_cmd('find /tmp')
./src/NodeProxy.py: output,code = node.exec_cmd('junk /tmp')
./src/GridManager.py:
dir="/tmp")
./src/KVMProxy.py: cmdline = cmdline + " -monitor unix:/tmp/" +
config.get("name") + \
./src/KVMProxy.py: config["monitor"] = "unix:/tmp/xyz"
pgpOUGC4hsyzQ.pgp
Description: PGP signature

