Jonathan Nieder wrote: > Hi, > > Vincent Lefevre wrote: > > > --- /usr/bin/xpdf 2011-07-28 06:29:44.000000000 +0200 > > +++ xpdf 2011-07-29 16:36:38.000000000 +0200 > > @@ -78,7 +78,7 @@ > > elif [ "$cat" = "cat" ]; then > > $cmd -title "$title" "$file" $pages > > else > > - tmp=$(tempfile -p "$(basename "$file")" -s .pdf) > > + tmp=$(tempfile -s .pdf) > > $cat "$file" > "$tmp" > > trap "rm -f \"$tmp\"" EXIT HUP INT QUIT TERM > > This is still vaguely vulnerable if a malicious or incompetent person > has control of TMPDIR (which I admit is far-fetched). Wasn't the > original intent closer to > > trap "rm -f -- \"\$tmp\"" EXIT HUP INT QUIT TERM > > which prevents the variable from being interpolated in advance at all?
The problem was never that an attacker had control of /tmp (it was that an attacker had control of the pdf's file name). If the attacker has control of /tmp and all can generate any file name permutation in time to get his malicious version in place of the intended one, then the real issue is that tmpfile's file name generation is weak, and the problem would need to fixed there. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
