Ticket #69 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

bzdiff tempfile patch is bad

Reported by: alexander@linuxfromscratch.org Assigned to: clfs-commits@lists.cross-lfs.org.
Priority: major Milestone: CLFS Sysroot 1.0.0
Component: BOOK Version: CLFS Sysroot 1.0.0
Keywords: security Cc:

Description

Without "tempfile", bzdiff creates files in /tmp with predictable names (because PIDs are not random). This allows for a symlink-based attack. Also, the "tempfile" program is installed anyway. Please remove the patch.

Change History

07/22/06 06:46:34 changed by chris@beaker67.com

The idea is to remove the reference to tempfile because it is deprecated, and hopefully be able to remove the tempfile patch from the book. Actually, I am the one who originally suggested changing bzdiff, but my original idea was to do what was done in LFS - to simply use a sed to replace the tempfile reference with mktemp.

07/22/06 19:06:50 changed by jciccone

From what I can tell the tempfile patch can be replaced with this sed: 

sed -i "/tmp=/s/\`.*\`/\`mktemp\`/" bzdiff

which changes this line: 

tmp=`tempfile -d /tmp -p bz` || {

to 

tmp=`mktemp` || {

08/07/06 15:14:26 changed by chris@beaker67.com

Yeah, I think that's what we should do.

08/07/06 15:24:31 changed by jim

This patch of mine was accepted upstream.

http://www.linuxfromscratch.org/patches/downloads/bzip2/bzip2-1.0.3-remove_tempfile-1.patch

This removes tempfile and uses the same method that is used in gzip.

01/17/07 19:22:44 changed by jciccone

  • status changed from new to closed.
  • resolution set to fixed.

Closing this ticket as fixed. Jim's patch has been included in bzip2-1.0.4.