Bug 1239009 - rear: Insecure temporary file usage
Summary: rear: Insecure temporary file usage
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rear
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gratien D'haese
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1245189 (view as bug list)
Depends On: 1238843 1245189
Blocks: 1221181
TreeView+ depends on / blocked
 
Reported: 2015-07-03 09:04 UTC by Ján Rusnačko
Modified: 2015-09-27 03:23 UTC (History)
3 users (show)

Fixed In Version: 1.17.2 rear-1.17.2-1.fc23 rear-1.17.2-1.fc21 rear-1.17.2-1.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of: 1238843
Environment:
Last Closed: 2015-09-26 17:34:36 UTC


Attachments (Terms of Use)

Description Ján Rusnačko 2015-07-03 09:04:53 UTC
+++ This bug was initially created as a clone of Bug #1238843 +++

Simply grepping for /tmp in source code gives a lot of hits, some of which are dangerous, e.g.:

usr/share/rear/verify/DP/default/50_select_dp_restore.sh:

test -f /tmp/dp_list_of_sessions.in && rm -f /tmp/dp_list_of_sessions.in

Would be nice if all occurences of hardcoded /tmp/.. were replaced with using mktemp.

Filed upstream https://github.com/rear/rear/issues/607

Comment 1 Gratien D'haese 2015-07-24 10:22:56 UTC
The needed changes were done and we will make an intermediate release of rear-1.17.2

Comment 2 Ján Rusnačko 2015-07-24 10:30:53 UTC
Thank you Gratien, for a quick fix and noting this in bugzilla !

Comment 3 Petr Hracek 2015-07-24 10:38:05 UTC
*** Bug 1245189 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2015-09-01 14:11:12 UTC
rear-1.17.2-1.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14770

Comment 5 Fedora Update System 2015-09-01 14:34:47 UTC
rear-1.17.2-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14774

Comment 6 Fedora Update System 2015-09-01 15:39:34 UTC
rear-1.17.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14786

Comment 7 Fedora Update System 2015-09-01 19:49:23 UTC
rear-1.17.2-1.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14770

Comment 8 Fedora Update System 2015-09-01 20:21:54 UTC
rear-1.17.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14786

Comment 9 Fedora Update System 2015-09-02 16:21:26 UTC
rear-1.17.2-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update rear'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14774

Comment 10 Fedora Update System 2015-09-26 17:34:34 UTC
rear-1.17.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-09-26 21:50:37 UTC
rear-1.17.2-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-09-27 03:23:08 UTC
rear-1.17.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.