Hi, On Mon, Nov 10, 2008 at 02:14:31AM -0800, Pavel N. Krivitsky wrote: > 1) The current version has this exact vulnerability (if it is one) to an > even greater extent, so I would not be adding a new vulnerability --- if > it's a vulnerability, it should be filed as a separate bug, and fixed by > someone who understands it better than I do.
Agreed. I didn't open one, because I'm not sure weither its really a vulnerability or not. But I think that its better to give some attention to it now instead of closing this bug (by an upload) and probably let it be forgotten. > 2) My understanding is that the predictable temporary filenames are > mainly a problem when the temporary file is created in a directory to > which many users have write access, like /tmp. In the case of this > program, the temporary directory is the directory that contains the > original Ogg file --- likely the user's , so if an attacker is in a > position to take advantage of the predictable temporary filename, the > attacker wouldn't need the predictable temporary filename to cause harm. I have the same understanding from the predictable temporary filenames problematic, but I thought about scenarios where the ogg files are stored in a shared location, which is probably quiet likely in a multi-user setup. In this case the attacker would still need write permissions to the directory, but this isn't that absurd in a shared storage scenario anyway and could still give him the possibility to let the user of this program overwrite arbitrary files. Given > 3) This bug causes unpredictable data loss, and since many users now > have multicore systems and may thus be tempted to run multiple instances > of vorbisgain in parallel, the bug should be fixed as quickly as > possible. Well, I think that a security issue as outlined above is also critical, because it makes data loss possible as well. However the outlined security issue requires some deliberateness, so I agree that this has high(er) priority. Best Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
