[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Re: A vulnerability in Lynx (all versions) <bug 004352> [BS
|
From: |
Jeffrey C Honig |
|
Subject: |
Re: lynx-dev Re: A vulnerability in Lynx (all versions) <bug 004352> [BSDI-Support-Request #41289] |
|
Date: |
Wed, 01 Jul 1998 13:51:17 -0400 |
> AFAIK this was corrected in 2-7-2 & 2-8,
> following considerable discussion on lynx-dev,
> for which see the Archive at www.flora.org/lynx-dev/ .
> of course, if this is a different bug which no-one has noticed till now,
> i'm sure we'ld all like to know ...
It is the same bug.
Lynx 2.8rel2 still makes predictable filenames in /tmp and doesn't use
open(O_EXCL), so there is still a race condition. In fact it's not
even a race...
I was able to create a file on a remote host with a .gz extension and
made a symlink with the predicted file name to ~user/.rhosts. Lynx
happily copied a text file into ~user/.rhosts, failed to uncompress
the file and left ~user/.rhosts with mode 0600.
Until lynx uses open with O_CREAT|O_EXCL (on systems that support it,
of course) this is still a bug.
Thanks.
Jeff