/tmp hole in gnome-help-browser



With the right link, you can destroy any file of another user,
if he starts gnome-help-browser.

See gnome-core/help-browser/window.c

#define IMAGE_TEMPFILE "/tmp/gnome-help-browser.tmpfile"

       fd = open(IMAGE_TEMPFILE, O_WRONLY | O_CREAT, 0666);
        if (fd >= 0) {
            docObjGetRawData(obj, &buf, &buflen);
            write(fd, buf, buflen);
            close(fd);
        }

Robert



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]