[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: many packages write to `temporary-file-directory' insecurely
From: |
Pavel Janík |
Subject: |
Re: many packages write to `temporary-file-directory' insecurely |
Date: |
Sat, 02 Mar 2002 12:52:51 +0100 |
User-agent: |
Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.2.50 (i386-suse-linux-gnu) |
From: Colin Walters <address@hidden>
Date: 28 Feb 2002 20:15:51 -0500
> I discovered a security problem with M-x snake, and a number of other
> packages. For example, snake writes "snake-scores" to
> `temporary-file-directory' (which defaults to /tmp on my system). If an
> attacker creates a symlink /tmp/snake-scores -> /home/luser/.bashrc, and
> "luser" later runs M-x snake, then their .bashrc will be happily
> overwritten with their snake scores. Try it.
The problem is actually in gamegrid.el's gamegrid-add-score. We should not
write to file if it is symlink or hard link. Am I right?
--- gamegrid.el.~1.4.~ Wed Feb 6 13:39:50 2002
+++ gamegrid.el Sat Mar 2 12:51:15 2002
@@ -405,26 +405,29 @@
;; ;;;;;;;;;;;;;;; high score functions ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(defun gamegrid-add-score (file score)
- "Add the current score to the high score file."
- (save-excursion
- (find-file-other-window file)
- (setq buffer-read-only nil)
- (goto-char (point-max))
- (insert (format "%05d\t%s\t%s <%s>\n"
- score
- (current-time-string)
- (user-full-name)
- (cond ((fboundp 'user-mail-address)
- (user-mail-address))
- ((boundp 'user-mail-address)
- user-mail-address)
- (t ""))))
- (sort-numeric-fields 1 (point-min) (point-max))
- (reverse-region (point-min) (point-max))
- (goto-line (1+ gamegrid-score-file-length))
- (delete-region (point) (point-max))
- (setq buffer-read-only t)
- (save-buffer)))
+ "Add the current score to the high score file.
+If the high score file is a symlink or hard link, do nothing."
+ (unless (or (file-symlink-p file)
+ (> (or (file-nlinks file) 0) 1))
+ (save-excursion
+ (find-file-other-window file)
+ (setq buffer-read-only nil)
+ (goto-char (point-max))
+ (insert (format "%05d\t%s\t%s <%s>\n"
+ score
+ (current-time-string)
+ (user-full-name)
+ (cond ((fboundp 'user-mail-address)
+ (user-mail-address))
+ ((boundp 'user-mail-address)
+ user-mail-address)
+ (t ""))))
+ (sort-numeric-fields 1 (point-min) (point-max))
+ (reverse-region (point-min) (point-max))
+ (goto-line (1+ gamegrid-score-file-length))
+ (delete-region (point) (point-max))
+ (setq buffer-read-only t)
+ (save-buffer))))
;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--
Pavel Janík
die_if_kernel("Whee... Hello Mr. Penguin", current->tss.kregs);
-- 2.2.16 arch/sparc/kernel/traps.c
- Re: many packages write to `temporary-file-directory' insecurely,
Pavel Janík <=
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/02
- Re: many packages write to `temporary-file-directory' insecurely, Pavel Janík, 2002/03/02
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Al Petrofsky, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely, Al Petrofsky, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Al Petrofsky, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/05