oss-sec mailing list archives
Re: CVE request: hplip insecure temporary file handling in pkit.py
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 27 Nov 2013 22:00:02 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/27/2013 05:10 AM, Sebastian Krahmer wrote:
Hi, Funny. I just told upstream about that yesterday: https://bugzilla.novell.com/show_bug.cgi?id=852368 I think hplip could deserve a deeper look. Sebastian
I'll be honest, this is how I audit for tmp files:
find ./ -type f -exec grep "/tmp" {} \;
Then I look to see how those files/dirs are created, if it's anything
other than the secure ways listed here:
http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/
it's probably wrong. I can't think of any software I've looked at that
have been 100% correct (there were two that were correct in the actual
code but had tests/etc. that were insecure).
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBAgAGBQJSls3SAAoJEBYNRVNeJnmTlsEP/jBKHK5OcOKN+YrnI+j+Mr/B
XRBJ/r52eBlSvXowieEq8mk2M3oEAWDizhZkGTID/u8brclXBrUQdoQt2u2eA/pc
arSoZfgDdVaQ5qgC+hEx+43XPemrVLDCRmR2f71XXUWS0mK7LvxGQthYnjWAlal7
XyF6N3KjCEOXWIVTiPGEFDnQ/wuIsl31ZPL7/5lZpCXOMX/HEFMS+oywyJ7tWCWq
CoS4GvBAyz/g1EG/X+lMWZCGtw8OSM1CrcqWp5WhTCMT1Uiw5ZADcS/YdALnXd4J
umlrR4bc3z1GSbREeCEaz9zdtKFWtX1ggbruzSmuw4JjZ+GppbT0lOOaZKmqP9wv
V9aqnjZXfUUJ7yqpi/6MB738A5E13TyPr6F+Vz8fAnx1SmPaTx3ydzMCoD7EuvXc
ApyJbn7u4xHpoRrN55MfN517fII3ptEoObPVFXEtKG0HbFu8V5SATruXWKQO6Wmx
Hd5+Tfp0aUvoA+iJwDxjlWxWj+mSni6ayAK7bbWUt7RmY0talz/jaIkCzXeHD9qn
+wamFEu11oVDZha/B/EZBL6r+tgImIPiMUWcbXvt5sfERqVyJwYoSaTa3mSrZ8Ly
ehsENBfC6NlKPy2NUf23q2MlX8lbudQHm30F1+ea6hSd86Y0k5sfgyrIq2fQLCzD
1U/hrAUnVICXFPQ2UHQ1
=GJSU
-----END PGP SIGNATURE-----
Current thread:
- CVE request: hplip insecure temporary file handling in pkit.py Ratul Gupta (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Raphael Geissert (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Sebastian Krahmer (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Kurt Seifried (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Kurt Seifried (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Sebastian Krahmer (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Raphael Geissert (Nov 27)