oss-sec mailing list archives
Re: CVE request: hplip insecure temporary file handling in pkit.py
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 27 Nov 2013 22:00:02 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/27/2013 05:10 AM, Sebastian Krahmer wrote:
Hi, Funny. I just told upstream about that yesterday: https://bugzilla.novell.com/show_bug.cgi?id=852368 I think hplip could deserve a deeper look. Sebastian
I'll be honest, this is how I audit for tmp files: find ./ -type f -exec grep "/tmp" {} \; Then I look to see how those files/dirs are created, if it's anything other than the secure ways listed here: http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/ it's probably wrong. I can't think of any software I've looked at that have been 100% correct (there were two that were correct in the actual code but had tests/etc. that were insecure). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSls3SAAoJEBYNRVNeJnmTlsEP/jBKHK5OcOKN+YrnI+j+Mr/B XRBJ/r52eBlSvXowieEq8mk2M3oEAWDizhZkGTID/u8brclXBrUQdoQt2u2eA/pc arSoZfgDdVaQ5qgC+hEx+43XPemrVLDCRmR2f71XXUWS0mK7LvxGQthYnjWAlal7 XyF6N3KjCEOXWIVTiPGEFDnQ/wuIsl31ZPL7/5lZpCXOMX/HEFMS+oywyJ7tWCWq CoS4GvBAyz/g1EG/X+lMWZCGtw8OSM1CrcqWp5WhTCMT1Uiw5ZADcS/YdALnXd4J umlrR4bc3z1GSbREeCEaz9zdtKFWtX1ggbruzSmuw4JjZ+GppbT0lOOaZKmqP9wv V9aqnjZXfUUJ7yqpi/6MB738A5E13TyPr6F+Vz8fAnx1SmPaTx3ydzMCoD7EuvXc ApyJbn7u4xHpoRrN55MfN517fII3ptEoObPVFXEtKG0HbFu8V5SATruXWKQO6Wmx Hd5+Tfp0aUvoA+iJwDxjlWxWj+mSni6ayAK7bbWUt7RmY0talz/jaIkCzXeHD9qn +wamFEu11oVDZha/B/EZBL6r+tgImIPiMUWcbXvt5sfERqVyJwYoSaTa3mSrZ8Ly ehsENBfC6NlKPy2NUf23q2MlX8lbudQHm30F1+ea6hSd86Y0k5sfgyrIq2fQLCzD 1U/hrAUnVICXFPQ2UHQ1 =GJSU -----END PGP SIGNATURE-----
Current thread:
- CVE request: hplip insecure temporary file handling in pkit.py Ratul Gupta (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Raphael Geissert (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Sebastian Krahmer (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Kurt Seifried (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Kurt Seifried (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Sebastian Krahmer (Nov 27)
- Re: CVE request: hplip insecure temporary file handling in pkit.py Raphael Geissert (Nov 27)