Re: uudecode bug (?)

[Colin Watson]

On Mon, 10 Jun 2002 at 13:55:47 +0200, martin f krafft wrote:
> i fully agree with you. nevertheless, we're also dealing with a race
> condition here. there are millions of cycles between me `ls` checking
> for a file that already exists, and uudecode actually fopen()ing the
> file for 'w' mode. if a file exists and it's overwritten, then no
> biggie, but a symlink or pipe do not really represent anything to be
> overwritten and are thus dangerous, i find.

If you want to close the race condition properly, I suggest creating a
new directory with secure modes, checking that the creation succeeded,
and uudecoding the file there (providing you've checked that it doesn't
unpack to an absolute path specification). mkdir() is atomic, so you are
safe. Adding a special-case check to uudecode for this is a very poor
hack around the race condition.

I don't think this is any more of a security problem in uudecode than
the fact that 'echo text >> filename' follows symlinks. Scripts that
call uudecode may be buggy, but they should clearly be fixed; do we
believe that the sort of installer script Dr. Bieringer quotes as
uudecoding to a well-known filename in a world-writable directory uses
no other standard tools in insecure ways?

-- 
Colin Watson                                  address@hidden