Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 4 Mar 2000 02:20:02 -0800 (PST)
From:      Phil Homewood <phil@rivendell.apana.org.au>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability
Message-ID:  <200003041020.CAA19240@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

The following reply was made to PR gnu/17175; it has been noted by GNATS.

From: Phil Homewood <phil@rivendell.apana.org.au>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: gnu/17175: [PATCH] send-pr predictable tempfile vulnerability
Date: Sat, 4 Mar 2000 20:12:12 +1000

 --3V7upXqbjpZ4EhLz
 Content-Type: text/plain; charset=us-ascii
 
 Sheldon Hearn wrote:
 > This only works when the user running send-pr has write permission on
 > the affected file, right?
 
 Yes.
 
 > While this should be fixed, it's certainly not a show-stopper if it's
 > just a user-to-user annoyance.  Nobody sensible runs send-pr as root.
 
 You're assuming sensible users. Bad move. :-)
 I still think it's serious enough to warrant a fix.
 
 > So, assuming I'm right about the urgency involved,  have you
 > investigated the possibility of a patch from the vendor?  Although the
 > send-pr.sh file isn't on the vendor branch any more, it'd make sense to
 > try to use a vendor-supplied patch.
 
 PR has been submitted to vendor as well. "gnats/52" is the Cygnus
 tracking ID.
 
 Note too my followup patch (initial one erroneously took out the
 '[ -z "$TMPDIR" ] && TMPDIR=/tmp' line which is still needed.
 Sorry 'bout that. :-)
 -- 
 Phil Homewood        dot@atat.dotat.org        phil@rivendell.apana.org.au
            Member, Australian Public Access Network Association
 
 --3V7upXqbjpZ4EhLz
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: 2.6.3ia
 
 iQCVAwUBOMDhek3NkkPt4cy1AQHIzwP/RDJhh1PcRbED04LtRHg6C/DPcMhMegcs
 5+OVw+ZkIteRFAPY6KX4XXrbVPO8/ouoFqNZIc8u2i9SEgVuXXANAyXjwyf8hBh8
 ucuLyLzSWiUdxFaD2P+zcomO+jhDFthPh6fEQs+De/GH81XIGDMKs+wbzrdEsrW6
 XNwLIiTXmbo=
 =PLen
 -----END PGP SIGNATURE-----
 
 --3V7upXqbjpZ4EhLz--
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003041020.CAA19240>