antirez <[EMAIL PROTECTED]> writes:
| While not heavely used, tac is a nice utility useful to reverse a file.
| Unfortunately it uses creat() in order to create a temp file under /tmp
| It needs to do this only if you use tac in pipe or with standard input
| (otherwise it just jumps to the bottom of the file).
| Here is the strace output:
|
| stat("/tmp/taca03411", 0xbffff830) = -1 ENOENT (No such file or directory)
| creat("/tmp/taca03411", 0600) = 3
|
| The temp filename is something like taca0+pid so it is trivial to predict,
| however, since tac uses stat() (not lstat) before creat() you can exploit this
| only in order to creat new files (for example /etc/nologin).
| I tested this for tac version 1.22 distribuited with
| the "GNU Text Utilities".
Thanks for the report.
1.22 is pretty old; I'd hope the security-conscious have upgraded.
That bug was fixed for textutils-2.0.
Here's the latest test release:
ftp://alpha.gnu.org/gnu/fetish/textutils-2.0d.tar.gz
