Re: [Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

2008-08-29 Thread Mattias Gaertner
On Fri, 29 Aug 2008 18:31:42 +0200 Joost van der Sluis <[EMAIL PROTECTED]> wrote: > Op vrijdag 29-08-2008 om 15:53 uur [tijdzone +0200], schreef Mattias > Gaertner: > > On Fri, 29 Aug 2008 14:55:00 +0200 > > Joost van der Sluis <[EMAIL PROTECTED]> wrote: > > > > > Hi all, > > > > > > As the pack

Re: [Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

2008-08-29 Thread Joost van der Sluis
Op vrijdag 29-08-2008 om 15:53 uur [tijdzone +0200], schreef Mattias Gaertner: > On Fri, 29 Aug 2008 14:55:00 +0200 > Joost van der Sluis <[EMAIL PROTECTED]> wrote: > > > Hi all, > > > > As the packager of Lazarus in Fedora, I get notifications if someone > > files a bug in Fedora's bug-tracker.

Re: [Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

2008-08-29 Thread Martin Friebe
Just some ideas on the topic. IMHO the tmp-dir should have a random, or pseudo-random element to it, and the current script should not (at least not without asking) delete a tmp-dir. A random element (such as the PID ) would solve issues if 2 different users run the script simultaneously (e.g

Re: [Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

2008-08-29 Thread ik
You should create a temporary name or check and see where the symlink follows before executing/removing it. So if it does not point for the right direction, you just exit with an error. Ido On Fri, Aug 29, 2008 at 5:53 PM, Vincent Snijders <[EMAIL PROTECTED]> wrote: > Joost van der Sluis schreef:

Re: [Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

2008-08-29 Thread Vincent Snijders
Joost van der Sluis schreef: > Hi all, > > As the packager of Lazarus in Fedora, I get notifications if someone > files a bug in Fedora's bug-tracker. > > Now someone added a bug-report with a security issue: > https://bugzilla.redhat.com/show_bug.cgi?id=460642 > > And indeed, if someone add a

Re: [Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

2008-08-29 Thread Mattias Gaertner
On Fri, 29 Aug 2008 14:55:00 +0200 Joost van der Sluis <[EMAIL PROTECTED]> wrote: > Hi all, > > As the packager of Lazarus in Fedora, I get notifications if someone > files a bug in Fedora's bug-tracker. > > Now someone added a bug-report with a security issue: > https://bugzilla.redhat.com/sho

[Lazarus] Security issue (symlink attack) in Lazarus filed on Fedora's bugzilla

2008-08-29 Thread Joost van der Sluis
Hi all, As the packager of Lazarus in Fedora, I get notifications if someone files a bug in Fedora's bug-tracker. Now someone added a bug-report with a security issue: https://bugzilla.redhat.com/show_bug.cgi?id=460642 And indeed, if someone add a symlink like 'ln -s /tmp/fpc_patchdir /etc' and