On Mon, Nov 30, 1998 at 10:16:21PM +0200, Yuri Kuzmenko wrote: > lrz (Linux ZMODEM file receiver) from lrzsz package have a security hole > with file permission. > > lrz create file with 0666 mode (world writable) No, it doesn't. fopen() is not that buggy. > File mode set to normal (specifed by other side) only after downloading. correct. > my umask is 022 I don't see a code path which doesn't honor your umask, and testing shows that the files get created with (0666 & ~(umask)). So what did you do? Can you tell me how to reproduce the behaviour you have seen? btw: I really like waking up and finding the name of software packages i maintain (especially those i only maintain because nobody else did) on bugtraq. It's going to be a beautiful day. Next time just sent me an email some time before you send it to bugtraq. Thank you. Regards, Uwe
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:26 PDT