On Tue, Mar 17, 1998 at 03:39:58PM +0100, Michal Zalewski wrote: > Lynx's /tmp file creation procedure is so poor that it isn't the only > vunerability. > Source code details/fix: > In LYUtils.c, they written their own function to make tmp filename, called > tempname. How it works: > sprintf(namebuffer,"%sL%d%uTMP.html",lynx_temp_space,getpid(),counter++); Actually, lynx is using LYNX_TEMP_SPACE instead of TMPDIR, so setting that one to $HOME/.tmp (or whatever your favorite place is) should help against that temp race. (Yes, I know that this isn't the real fix, but it's a quick workaround.) On a related topic, H. P. Anvin's magicfilter 1.2 package contains yet another /tmp race. The fix (replacing tmpnam && fopen by mkstemp && fdopen is trivial), so I don't include it. Please note that this problem is especially dangerous, since magicfilter will run as root on a typical installation. tlr -- Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/ 2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:59 PDT