Bug 1239009

Summary: rear: Insecure temporary file usage
Product: [Fedora] Fedora Reporter: Ján Rusnačko <jrusnack>
Component: rearAssignee: Gratien D'haese <gratien.dhaese>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: gratien.dhaese, phracek, qe-baseos-daemons
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 1.17.2 rear-1.17.2-1.fc23 rear-1.17.2-1.fc21 rear-1.17.2-1.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1238843 Environment:
Last Closed: 2015-09-26 17:34:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1238843, 1245189    
Bug Blocks: 1221181    

Description Ján Rusnačko 2015-07-03 09:04:53 UTC 
+++ This bug was initially created as a clone of Bug #1238843 +++

Simply grepping for /tmp in source code gives a lot of hits, some of which are dangerous, e.g.:

usr/share/rear/verify/DP/default/50_select_dp_restore.sh:

test -f /tmp/dp_list_of_sessions.in && rm -f /tmp/dp_list_of_sessions.in

Would be nice if all occurences of hardcoded /tmp/.. were replaced with using mktemp.

Filed upstream https://github.com/rear/rear/issues/607
Comment 1 Gratien D'haese 2015-07-24 10:22:56 UTC 
The needed changes were done and we will make an intermediate release of rear-1.17.2
Comment 2 Ján Rusnačko 2015-07-24 10:30:53 UTC 
Thank you Gratien, for a quick fix and noting this in bugzilla !
Comment 3 Petr Hracek 2015-07-24 10:38:05 UTC 
*** Bug 1245189 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2015-09-01 14:11:12 UTC 
rear-1.17.2-1.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14770
Comment 5 Fedora Update System 2015-09-01 14:34:47 UTC 
rear-1.17.2-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14774
Comment 6 Fedora Update System 2015-09-01 15:39:34 UTC 
rear-1.17.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14786
Comment 7 Fedora Update System 2015-09-01 19:49:23 UTC 
rear-1.17.2-1.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14770
Comment 8 Fedora Update System 2015-09-01 20:21:54 UTC 
rear-1.17.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14786
Comment 9 Fedora Update System 2015-09-02 16:21:26 UTC 
rear-1.17.2-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14774
Comment 10 Fedora Update System 2015-09-26 17:34:34 UTC 
rear-1.17.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-09-26 21:50:37 UTC 
rear-1.17.2-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-09-27 03:23:08 UTC 
rear-1.17.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.