Re: [hacksware]Pine temporary file hijacking vulnerability

["Ryan W. Maple" <ryan () GUARDIANDIGITAL COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I do not really think the problem is this.  /tmp is there for a reason,
and I don't really find any fault in vendors/developers for using it
accordingly.

I think the real problem here is the use of '$$' in temporary file
creation.  mkstemp(3) is there for a reason:

NAME
       mkstemp - create a unique temporary file

Just my $.02. :)

Cheers,
Ryan

 +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
   Ryan W. Maple          "I dunno, I dream in Perl sometimes..."  -LW
   Guardian Digital, Inc.                     ryan () guardiandigital com
 +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+


On Mon, 11 Dec 2000, Thomas Corriher wrote:

> So many of these problems would just disappear if the
> system's default profile had something like "$TMPDIR=$HOME"
> or "$TMPDIR=$HOME/tmp".  Pine is not really the problem.
> Poorly configured systems are the problem.  Linux
> distributors: are you paying attention?  Why should all
> users be given full access to any directory; especially if
> most programs are designed to use that directory by default?
> It is time that we wake up certain corporations and software
> distribution companies.  This sloppiness should not be
> tolerated.
>
> This type of problem appears again, and again, and again; yet
> these problems could be fixed with a one-liner.  Oh the insanity!
>
> I am not even an expert on security matters, but I do know enough
> about the basics to realize that many default configurations are
> incredibly stupid.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6Nt9UIwAIA9MpKWcRAgpVAJ0ZTeB3cCPvV5RgbzUqdSXA+Q4FHgCfbxjg
7PvBnp4ReLVu2eNq2IMpMLc=
=eSD8
-----END PGP SIGNATURE-----