From owner-freebsd-bugs Sat Mar 4 2:10: 5 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 57EF437B782 for ; Sat, 4 Mar 2000 02:10:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id CAA18738; Sat, 4 Mar 2000 02:10:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Date: Sat, 4 Mar 2000 02:10:02 -0800 (PST) Message-Id: <200003041010.CAA18738@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Sheldon Hearn Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability Reply-To: Sheldon Hearn Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR gnu/17175; it has been noted by GNATS. From: Sheldon Hearn To: phil@rivendell.apana.org.au Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability Date: Sat, 04 Mar 2000 12:03:23 +0200 On Sat, 04 Mar 2000 19:44:21 +1000, Phil Homewood wrote: > Create lots of symlinks from /tmp/p$$ to something > interesting. Run send-pr, or wait for your victim to do > so. Observe target file now containing victim's name. This only works when the user running send-pr has write permission on the affected file, right? While this should be fixed, it's certainly not a show-stopper if it's just a user-to-user annoyance. Nobody sensible runs send-pr as root. So, assuming I'm right about the urgency involved, have you investigated the possibility of a patch from the vendor? Although the send-pr.sh file isn't on the vendor branch any more, it'd make sense to try to use a vendor-supplied patch. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message