Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Review Request: xarchiver - Archive manager for Xfce https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217311 ------- Additional Comments From pertusus@xxxxxxx 2006-12-10 18:47 EST ------- (In reply to comment #14) > As I have not tested lha I have also removed x-lha and x-lhz now. I still would > like rar in. If required programm (from the other repo) is not installed, > xarchiver will show a message that tells you to install it. This should IMHO be > allowed. Ok for rar. > Can you please clairfy the symlink-attack problem from comment #4 a little? My > hacking skills are too low to explain Guiseppe what you mean. Seems like he > already noticed there's something not sane, see > http://bugzilla.xfce.org/show_bug.cgi?id=2616 If a program creates a file below /tmp with a predictable name, it opens a possibility for this well known attack. In short an attacker have to create the conditions for a race condition by slowing down xarchiver, then creates a symlink in /tmp which overwrites a file. A longer story is: the attacker waits for you to begin opening a .deb, slows xarchiver, create a symlink in /tmp/ with the predictable name pointing to one of your file, and this file content will be overwritten by the newly created file content. A simple fix is to use mkdtemp or mkstemp to create the directory or the file with an unpredictable name. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review