Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile
Note new experimental grass packages by Steve Halasz can be found at: http://pkg-grass.alioth.debian.org/cgi-bin/wiki.pl?DebianGisRepository Currently at GRASS version 6.0.0beta2 (which among other things fixes this bug). This should be ready for unstable soon. thanks to the folks at the Debian GIS Project, Hamish -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation
> I'll try to get a CVS package squared away tomorrow. I have just reverted that init.sh $TMPDIR change now, so it should be all set for a fresh checkout, AFAICT. > Best to do it as quickly as possible I think. Yes, I hadn't been keeping up with the Debian Weekly News & the sarge release appears to be much closer than I thought it was. Hamish -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation
On Thu, 2005-02-03 at 12:55 +1300, Hamish wrote: > Hi, for those playing along at home, time for a status update: > > > r.terraflow is the only module in GRASS 6.0 CVS which hasn't been fixed > for this bug yet (end user set-able but uses "/var/tmp" as default). > > You can make a GRASS package without the r.terraflow module by doing: > ./configure --without-cxx > > this has no repercussions on the rest of the package. > > > Hopefully we can have a GRASS 6beta2 release soon with r.terraflow fixed > and a new debian package made from that. If you don't want to wait, pull > from CVS and do --without-cxx. Hamish, You rock! I'll try to get a CVS package squared away tomorrow. Best to do it as quickly as possible I think. Thanks, Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation
Hi, for those playing along at home, time for a status update: r.terraflow is the only module in GRASS 6.0 CVS which hasn't been fixed for this bug yet (end user set-able but uses "/var/tmp" as default). You can make a GRASS package without the r.terraflow module by doing: ./configure --without-cxx this has no repercussions on the rest of the package. Hopefully we can have a GRASS 6beta2 release soon with r.terraflow fixed and a new debian package made from that. If you don't want to wait, pull from CVS and do --without-cxx. see the pkg-grass mailing list at Alioth for more info. http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-general best, Hamish -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation
[cc bug lists to archive the link] > This page describes a way to create a secure tmp directory where you > can create tmp files without worrying about their names: > > http://www.linuxsecurity.com/content/view/115462/151/#mozTocId316364 .. > > Maybe someone can help me with this one: > > lib/db/stubs/BUILD.PROTO Thanks, but as I can't find anything that actually uses that script I'm just going to remove it if no one objects. That leaves r.terraflow as the only one left (I think); I'm waiting for an update from the module's author. Hamish -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation
Hamish wrote: > Just an update re. less-insecure tempfiles .. > > In the upstream GRASS 5.7 CVS[*] pretty much everything in the scripts/ > directory now uses g.tempfile. C modules are next. I am not sure what to > do with the init scripts & libs where the GRASS tempfile fn's may not be > available.. Re-write g.tempfile so that it doesn't rely upon GRASS having been initialised, i.e. just use tempnam() or similar rather than relying upon G_getenv() etc. The only code which really needs to use G_tempfile() is code which creates files within the GRASS database (e.g. G_open_cell_new() etc), as the files have to reside on the same filesystem as the rest of the database. Everything else can use $TMPDIR. -- Glynn Clements <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation
[thanks for the 5.0.3 patch Marga] Just an update re. less-insecure tempfiles .. In the upstream GRASS 5.7 CVS[*] pretty much everything in the scripts/ directory now uses g.tempfile. C modules are next. I am not sure what to do with the init scripts & libs where the GRASS tempfile fn's may not be available.. These fixes are not in Steve Halasz's grass 6.0beta1 grass package[**], I'm not sure when 6beta2 will be but maybe Steve & co. are willing to backport these changes to 6beta1 and push for that to get into Sarge. [*] http://freegis.org/cgi-bin/viewcvs.cgi/grass51/ [**] http://pkg-grass.alioth.debian.org/cgi-bin/wiki.pl a number of the instances on the offender list were actually commented out, etc. still to look at: lib/db/stubs/BUILD.PROTO lib/db/dbmi_driver/mk_dbstubs_h.sh lib/gis/unix_socks.c lib/gis/gislib.dox lib/gis/win32_pipes.c lib/init/init.sh lib/init/make_location_epsg_g57.sh raster/r.terraflow/description.html raster/r.terraflow/main.cc regards, Hamish -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]