[Bug 217311] Review Request: xarchiver - Archive manager for Xfce
bugzilla at redhat.com
bugzilla at redhat.com
Sun Dec 10 23:47:58 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: xarchiver - Archive manager for Xfce
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217311
------- Additional Comments From pertusus at free.fr 2006-12-10 18:47 EST -------
(In reply to comment #14)
> As I have not tested lha I have also removed x-lha and x-lhz now. I still would
> like rar in. If required programm (from the other repo) is not installed,
> xarchiver will show a message that tells you to install it. This should IMHO be
> allowed.
Ok for rar.
> Can you please clairfy the symlink-attack problem from comment #4 a little? My
> hacking skills are too low to explain Guiseppe what you mean. Seems like he
> already noticed there's something not sane, see
> http://bugzilla.xfce.org/show_bug.cgi?id=2616
If a program creates a file below /tmp with a predictable name,
it opens a possibility for this well known attack. In short an attacker
have to create the conditions for a race condition by slowing down
xarchiver, then creates a symlink in /tmp which overwrites a file.
A longer story is: the attacker waits for you to begin opening a .deb,
slows xarchiver, create a symlink in /tmp/ with the predictable name
pointing to one of your file, and this file content will be
overwritten by the newly created file content. A simple fix is to
use mkdtemp or mkstemp to create the directory or the file with an
unpredictable name.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Fedora-package-review
mailing list