All, Whilst doing some janitor work on the OpenVAS code base I spotted a potential race condition.
openvas-scanner/openvassd/utils.c contains a function temp_file_name() which contains a loop that recusively constructs random filenames under OPENVASSD_STATEDIR/tmp and then checks whether they exist by attempting to open them with O_RDONLY. When open returns a file descriptor >= 0, the filename is returned. This function is called from openvas-scanner/openvassd/ntp_11.c by the ntp_11_recv_file() function. This function opens the filename returned with O_CREAT|O_WRONLY|O_TRUNC and then writes to it. There exists a time of check, time of use race condition which might be exploited to overwrite arbitrary files. Thoughts before I start to clean it up? ATTACHED_FILE still seems to be supported by OTP 1.0, no? Tim -- Tim Brown <mailto:t...@openvas.org> <http://www.openvas.org/> _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
