Bug 1238843 - rear: Insecure temporary file usage
Summary: rear: Insecure temporary file usage
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rear
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Hracek
QA Contact: Tereza Cerna
URL:
Whiteboard:
Depends On:
Blocks: 1221181 1239009 1245189
TreeView+ depends on / blocked
 
Reported: 2015-07-02 19:15 UTC by Ján Rusnačko
Modified: 2015-11-19 09:01 UTC (History)
4 users (show)

Fixed In Version: rear-1.17.2-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1239009 1245189 (view as bug list)
Environment:
Last Closed: 2015-11-19 09:01:05 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2015:2244 normal SHIPPED_LIVE new package: rear 2015-11-19 09:11:33 UTC

Description Ján Rusnačko 2015-07-02 19:15:12 UTC
Simply grepping for /tmp in source code gives a lot of hits, some of which are dangerous, e.g.:

usr/share/rear/verify/DP/default/50_select_dp_restore.sh:

test -f /tmp/dp_list_of_sessions.in && rm -f /tmp/dp_list_of_sessions.in

Would be nice if all occurences of hardcoded /tmp/.. were replaced with using mktemp.

Filed upstream https://github.com/rear/rear/issues/607

Comment 2 Gratien D'haese 2015-07-24 10:24:14 UTC
The needed changes were done and we will make an intermediate release of rear-1.17.2

Comment 3 Fedora Update System 2015-09-01 16:18:55 UTC
rear-1.17.2-1.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7888

Comment 4 Fedora Update System 2015-09-01 17:07:51 UTC
rear-1.17.2-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7889

Comment 5 Fedora Update System 2015-09-01 17:53:28 UTC
rear-1.17.2-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7891

Comment 6 Fedora Update System 2015-09-02 03:48:12 UTC
rear-1.17.2-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7888

Comment 7 Fedora Update System 2015-09-02 08:47:25 UTC
rear-1.17.2-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7889

Comment 8 Fedora Update System 2015-09-02 08:49:02 UTC
rear-1.17.2-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7891

Comment 10 Petr Hracek 2015-09-24 09:50:36 UTC
Switching to MODIFIED so that I am able to add it to errata.

Comment 13 Fedora Update System 2015-09-27 08:54:50 UTC
rear-1.17.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-09-27 15:57:18 UTC
rear-1.17.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-09-27 18:22:12 UTC
rear-1.17.2-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 errata-xmlrpc 2015-11-19 09:01:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-2244.html


Note You need to log in before you can comment on or make changes to this bug.