Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 Feb 2014 08:12:21 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd: temporary file creation vulnerability in Redis

Hi,

On 23 February 2014 07:35, Matthew Hall <mhall@...omputing.net> wrote:

>    641      snprintf(tmpfile,256,"temp-%d.rdb", (int) getpid());
>    642      fp =3D fopen(tmpfile,"w");
> ...
>    699      if (rename(tmpfile,filename) =3D=3D -1) {
>
>
This looks like the standard pattern for atomic file writing.  The temp
file would
probably be in the same directory as the data file, since cross-device
rename()
doesn't work.

This class of vulnerability relies on the fact that other users have write
access
to the directory that the tempfile is written to.

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.