Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 Feb 2014 08:12:21 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd: temporary file creation vulnerability in Redis

Hi,

On 23 February 2014 07:35, Matthew Hall <mhall@...omputing.net> wrote:

>    641      snprintf(tmpfile,256,"temp-%d.rdb", (int) getpid());
>    642      fp =3D fopen(tmpfile,"w");
> ...
>    699      if (rename(tmpfile,filename) =3D=3D -1) {
>
>
This looks like the standard pattern for atomic file writing.  The temp
file would
probably be in the same directory as the data file, since cross-device
rename()
doesn't work.

This class of vulnerability relies on the fact that other users have write
access
to the directory that the tempfile is written to.

Regards,
  Michael

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ