Jonathan Nieder wrote: > Michael Gilbert wrote: > > > If the attacker > > has control of /tmp and all can generate any file name permutation in > > time to get his malicious version in place of the intended one, then > > the real issue is that tmpfile's file name generation is weak, and the > > problem would need to fixed there. > > Not really. If I set the TMPDIR environment variable to something > containing shell metacharacters, then tempfile(1) [note, the utility, > not the library function] will use it. And the underescaping is still > present. This has nothing to do with symlink attacks.
Ok, I see now. Then the root cause is that tempfile will "listen to" the TMPDIR setting. So, to fix that core problem, shouldn't we disable it? Note functionality shouldn't be lost since there is still the "--directory" option; although some scripts may need to be fixed. But in the meantime I'll add the additional hardening. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
