Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Jun 2014 19:56:43 -0700
From: Alex Gaynor <alex.gaynor@...il.com>
To: oss-security@...ts.openwall.com
Cc: andrew@...l.org
Subject: Re: TMP flaw in rackspace jclouds?

I'm a Rackspace employee and I've reached out several co-workers who work
on JClouds for us.

Alex


On Wed, Jun 18, 2014 at 7:52 PM, Kurt Seifried <kseifried@...hat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> https://github.com/rackspace/jclouds/
>
> So CC'ing Andrew, he's a consistent contributor, I can't file an issue
> in Github (no link to it) so posting here and CC'ing him.
>
>
> https://github.com/rackspace/jclouds/blob/master/scriptbuilder/src/main/java/org/jclouds/scriptbuilder/domain/Statements.java
>
>   public static Statement extractTargzAndFlattenIntoDirectory(URI tgz,
> String dest) {
>       return new StatementList(ImmutableSet.<Statement> builder()
>             .add(exec("mkdir /tmp/$$"))
>             .add(extractTargzIntoDirectory(tgz, "/tmp/$$"))
>             .add(exec("mkdir -p " + dest))
>             .add(exec("mv /tmp/$$/*/* " + dest))
>             .add(exec("rm -rf /tmp/$$")).build());
>    }
>
>
> This is insecure, $$ == PID == predictable
>
> http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/
>
> use java.io.File.createTempFile() ? some interesting info at
> http://www.veracode.com/blog/2009/01/how-boring-flaws-become-interesting/
>
> for directories there is a helpful posting at
>
> http://stackoverflow.com/questions/617414/create-a-temporary-directory-in-java
>
> Thanks.
>
>
> - --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJTolCLAAoJEBYNRVNeJnmTrVYQAJ5glkD/0Ha5+F99Qj9ioNmm
> ZnO4G6TqKctfiqW/X02wMocKLMRV8q5WI/nvs71hCoK5HaVmbtNrV71wE0omHLjB
> smzFz6d8qZaTcOHdvgbSlWEGPjcVnESo0F3K0vgK2L/LtB5mgny6pHDn+c/cqrgt
> Er4n+U3oXlkon/ksW+drWpKOpmGOhn7c4fbE45ci6KnzDbbGpGHF0fZL3lSEfJR0
> 0D/HQzKIAJpI7VvZU8+/d/MHasndgJoAHmUCkTBYU55Vf5eYsm+xWZ1Mt46IyAap
> crMTCHHE1GVUAexYbMxy+lohHbpl+pB/d////LzesJjByRSv87r+1oLhdwank3P9
> Fz1h3sq57JyLFQIcpm4TS7xh3TaByFGCiA5G/mR+CkuS6sZEapSkviu/x7ygmOdG
> cJKM+5CogeE1P1PWsoQ41JcSwfuWAfc5IODvkjLb3MfyoXJRaKcBVdVcdHBUK4BA
> 7xcD9SbDsujxHOJLknFaO22uTtlrDS4yXJaNal6L9P7DCsSSrxG1PmmE+t5qrtYw
> HQoz+RuOMhY/2FWJqOxa7ru99rIQmxxpWgoknUlT+yYJRfoub0kpibyJLBLy2SEx
> xmdqe/i9nHCsGAworK4bEL2vLvsNBiJgdSHlzg7E5POI1tbveE12fIUmSgrgV+zO
> WjPZ/O4oOj0FVWoeyQUN
> =SUf5
> -----END PGP SIGNATURE-----
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ