[Radiance-dev] Security issue - Insecure use of files in /tmp
Gregory J. Ward
gregoryjward at gmail.com
Wed Aug 13 06:21:10 PDT 2008
Hi Bernd,
How do you create a file with an "unpredictable" name? Why is this
even an issue unless a script or program has the suid bit enabled?
Radiance programs should never have permission to do anything a user
couldn't, unless they're being run by root.
There are quite a few scripts that create temporary files this way in
Radiance:
% grep -l '/tmp' */*.csh
cv/optics2rad.csh
gen/genbackg.csh
gen/genpine.csh
gen/genwindow.csh
gen/markpath.csh
px/falsecolor.csh
px/normpat.csh
px/pacuity.csh
px/pbilat.csh
px/pdelta.csh
px/phisteq.csh
px/phisto.csh
px/psquish.csh
px/pveil.csh
px/ran2tiff.csh
px/vlpic.csh
px/xyzimage.csh
util/compamb.csh
util/dayfact.csh
util/objline.csh
util/objpict.csh
util/objview.csh
util/raddepend.csh
-Greg
> From: Bernd Zeimetz <bernd at bzed.de>
> Date: August 13, 2008 4:07:07 AM PDT
>
> Hi,
>
> unfortunately I got a bug report about insecure handling of temp files
> in Radiance:
>
> radiance_3R9+20080530-3 dayfact /tmp/gsf$$ (pipe)
> /tmp/tl$$.pic (pipe)
> /tmp/ds$$.pic (pipe)
> /tmp/tfa$$ (pipe)
> optics2rad /tmp/opt.fmt (pipe)
> /tmp/out$$.fmt (pipe)
> raddepend /tmp/sed$$ (pipe)
>
> Temp files need to be created with a non-predictable way, otherwise
> other users could create a link or file with the same name to trick
> you
> into overwriting files, which could (in the worse case) result into a
> compromise of the system.
> In case you know about similar problems in other scripts or even in
> the
> C code, please let me know, so they can be fixed, too.
> Regarding Debian, such bugs are considered 'grave'. I'll have to
> upload
> a fix soon for Lenny, otherwise the package will be removed.
>
>
> Best regards,
>
> Bernd
More information about the Radiance-dev
mailing list