tags 496419 confirmed thanks Hi,
A simple grep revealed a lot of tempfile issues here, see below. As far as I understand it, the code runs as root. This makes the issue quite serious. Please make sure this is fixed before lenny is released. As several different temp files are used insecurely, it may be better to create a separate, private working directory for the program where it may store all those files at will. cheers, Thijs ./config-scripts/xen-3.2/configure-xend.sh: cat <<EOF > /tmp/open_ssl.res ./config-scripts/xen-3.2/configure-xend.sh: $OPENSSL req -new -key $KEY -out $CSR < /tmp/open_ssl.res ./config-scripts/xen-3.2/configure-xend.sh: rm /tmp/open_ssl.res ./config-scripts/xen-3.1/configure-xend.sh: cat <<EOF > /tmp/open_ssl.res ./config-scripts/xen-3.1/configure-xend.sh: $OPENSSL req -new -key $KEY -out $CSR < /tmp/open_ssl.res ./config-scripts/xen-3.1/configure-xend.sh: rm /tmp/open_ssl.res ./src/utils.py: updates_file = "/tmp/updates.xml" ./src/utils.py: dir="/tmp") ./src/utils.py: TEST_CONFIGFILE = '/tmp/convirt.conf' ./src/XenNode.py: dom_config.save("/tmp/test_config") ./src/XenNode.py: newcfg.set_filename("/tmp/Txx") ./src/XenNode.py: f = managed_node.node_proxy.open("/tmp/Txx") ./src/XenNode.py: print "### read config from /etc/xen/auto and write them to /tmp" ./src/XenNode.py: d.save("/tmp/" + f) ./src/NodeProxy.py: node.put("/tmp/send", "/tmp/send_r") ./src/NodeProxy.py: node.get("/tmp/send_r", "/tmp/received") ./src/NodeProxy.py: fd = node.open('/tmp/test_writable','w') ./src/NodeProxy.py: print 'exists?: ',node.file_exists('/tmp/test_writable') ./src/NodeProxy.py: print 'isWritable?: ', node.file_is_writable('/tmp/test_writable') ./src/NodeProxy.py: node.remove('/tmp/test_writable') ./src/NodeProxy.py: print 'exists?: ', node.file_exists('/tmp/test_writable') ./src/NodeProxy.py: node.mkdir("/tmp/node_test") ./src/NodeProxy.py: w = node.open("/tmp/node_test/test", "w") ./src/NodeProxy.py: r = node.open("/tmp/node_test/test") ./src/NodeProxy.py: node.remove("/tmp/node_test/test") ./src/NodeProxy.py: node.rmdir("/tmp/node_test") ./src/NodeProxy.py: output,code = node.exec_cmd('find /tmp') ./src/NodeProxy.py: output,code = node.exec_cmd('junk /tmp') ./src/GridManager.py: dir="/tmp") ./src/KVMProxy.py: cmdline = cmdline + " -monitor unix:/tmp/" + config.get("name") + \ ./src/KVMProxy.py: config["monitor"] = "unix:/tmp/xyz"
pgpOUGC4hsyzQ.pgp
Description: PGP signature