oss-sec mailing list archives
Re: Fwd: temporary file creation vulnerability in Redis
From: Michael Samuel <mik () miknet net>
Date: Sun, 23 Feb 2014 08:12:21 +1100
Hi, On 23 February 2014 07:35, Matthew Hall <mhall () mhcomputing net> wrote:
641 snprintf(tmpfile,256,"temp-%d.rdb", (int) getpid()); 642 fp =3D fopen(tmpfile,"w"); ... 699 if (rename(tmpfile,filename) =3D=3D -1) {
This looks like the standard pattern for atomic file writing. The temp file would probably be in the same directory as the data file, since cross-device rename() doesn't work. This class of vulnerability relies on the fact that other users have write access to the directory that the tempfile is written to. Regards, Michael
Current thread:
- Fwd: temporary file creation vulnerability in Redis Matthew Hall (Feb 22)
- Re: Fwd: temporary file creation vulnerability in Redis Michael Samuel (Feb 22)
- Re: Fwd: temporary file creation vulnerability in Redis cve-assign (Feb 23)
- Re: Fwd: temporary file creation vulnerability in Redis Matthew Hall (Feb 23)
- Re: Fwd: temporary file creation vulnerability in Redis cve-assign (Feb 24)
- Re: Fwd: temporary file creation vulnerability in Redis Matthew Hall (Feb 23)