[Bug 217311] Review Request: xarchiver - Archive manager for Xfce

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: xarchiver - Archive manager for Xfce


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217311





------- Additional Comments From pertusus@xxxxxxx  2006-12-10 18:47 EST -------
(In reply to comment #14)

> As I have not tested lha I have also removed x-lha and x-lhz now. I still would
> like rar in. If required programm (from the other repo) is not installed,
> xarchiver will show a message that tells you to install it. This should IMHO be
> allowed.

Ok for rar.

> Can you please clairfy the symlink-attack problem from comment #4 a little? My
> hacking skills are too low to explain Guiseppe what you mean. Seems like he
> already noticed there's something not sane, see
> http://bugzilla.xfce.org/show_bug.cgi?id=2616

If a program creates a file below /tmp with a predictable name,
it opens a possibility for this well known attack. In short an attacker
have to create the conditions for a race condition by slowing down
xarchiver, then creates a symlink in /tmp which overwrites a file. 

A longer story is: the attacker waits for you to begin opening a .deb,
slows xarchiver, create a symlink in /tmp/ with the predictable name
pointing to one of your file, and this file content will be 
overwritten by the newly created file content. A simple fix is to 
use mkdtemp or mkstemp to create the directory or the file with an
unpredictable name.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

_______________________________________________
Fedora-package-review mailing list
Fedora-package-review@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-package-review

[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]