Re: deb vfs security issue (CAN-2004-0494)

From: Leonard den Ottolander <leonard den ottolander nl>
To: MC Devel <mc-devel gnome org>
Subject: Re: deb vfs security issue (CAN-2004-0494)
Date: Thu, 19 Aug 2004 09:54:52 +0200

Hi Andrew,

On Thu, 2004-08-19 at 09:42, Andrew V. Samoilov wrote:
> > I see. copyin is passed unchecked parameters, but those are quotemeta'd
> > with myin. This seems to be the case in most opens, except one: copyout.
> > Are you sure 'open 0, "> $out";' is fine?
>  
> Well `open O,  '>', $out` is more right and secure here.
> Patch attached.  Can you commit this one?

Please wait with committing this. As I am going through many of the
files in vfs/extfs it's probably better to wait for a comprehensive
patch that I intend to make. There are many more occurrences of the
above open syntax.

Why is the latter form more correct? If it is I am happy to change all
occurrences of the old form where I find them.

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

Follow-Ups:
- Re: deb vfs security issue (CAN-2004-0494)
  - From: Leonard den Ottolander
- Re: deb vfs security issue (CAN-2004-0494)
  - From: Andrew V. Samoilov

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]