oss-sec mailing list archives

Re: pinocchio tmp vuln

From: Mikko Korpela <mikko.korpela () gmail com>
Date: Tue, 9 Sep 2014 22:14:21 +0300

"And we will need that because there are so many
devices hitting the streets with so many noob vulns that it's only a
matter of time before someone is killed."

So umm.. Your saying that you guys are saving the world by finding out
random packages that use easily guessable filenames from /tmp/ that
everybody has access to?

I think security (like safety) has its place, but it is largely
context dependent - you don't put locks to every door in your house
(or I hope you don't) or you end up spending all the time opening and
closing them.

I'm not arguing that the things you guys are talking about are not
important in many contexts but test automation??

It is part of software development process - and in many cases
requires that the system under test must be executed in some very
unsecure way to enable access to the internals of the tested system.
So in this place where these tests are executing (developers little
sandbox that is far away from the evil world around us) if someone
"evil" has access to the /tmp/ folder or the machine in any way then
you are already screwed.

So could someone please give me an example case of a test automation
tool where removing a /tmp/ vuln would have had any significance?

(By the way I kind of think that I'm saving the world also :P by
giving people test automation tools so they can get bugs out of their
software systems - and bugs really kill people)

2014-09-09 19:39 GMT+03:00 John Haxby <john.haxby () oracle com>:

On 09/09/14 09:34, Steve Kemp wrote:

                                         I'm sure lots of
 modules exist created by inexperienced developers who haven't
 considered the implications of posting new code libraries.


We see lots of people making the same mistakes over and over again.

Apart from the obvious newbie mistakes of failing to create proper
temporary directories, we also get things like the slightly more subtle
shipping a "secure" web server with a fixed self-signed cert.   Or
copying a user-supplied string into a MAXPATH+1 buffer because that's
long enough for any pathname.   Or ...

I don't need to go on, we've all seen them and Kurt highlighting
problems is all goodness because at least it gets people thinking a bit
more about security.  And we will need that because there are so many
devices hitting the streets with so many noob vulns that it's only a
matter of time before someone is killed.

jch




-- 
Mikko Korpela

Current thread:

pinocchio tmp vuln Kurt Seifried (Sep 08)
- Re: pinocchio tmp vuln David Jorm (Sep 08)
  - Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
    - Re: pinocchio tmp vuln Steve Kemp (Sep 09)
    - Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
    - Re: pinocchio tmp vuln Henri Salo (Sep 09)
    - Re: pinocchio tmp vuln Kurt Seifried (Sep 09)
    - Re: pinocchio tmp vuln Donald Stufft (Sep 11)
    - Re: pinocchio tmp vuln John Haxby (Sep 09)
    - Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
    - Re: pinocchio tmp vuln John Haxby (Sep 11)
    - Re: pinocchio tmp vuln Kurt Seifried (Sep 11)
    - Re: pinocchio tmp vuln Kurt Seifried (Sep 11)
    - Re: pinocchio tmp vuln Mikko Korpela (Sep 11)