Bug 17544 - HUGE race condition in Glint
Summary: HUGE race condition in Glint
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glint
Version: 5.2
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Trond Eivind Glomsrxd
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-09-15 17:30 UTC by SB
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-09-15 19:06:08 UTC
Embargoed:


Attachments (Terms of Use)

Description SB 2000-09-15 17:30:36 UTC
I was following that Glint thread on redhat-devel list and it reminded me
of something I noticed a long time ago in Glint on Red Hat Linux 5.2:

There is a HUGE race condition in Glint that shipped with RHL 5.2 and
probably previous that needs to be fixed.  When using glint if a package
has an icon other than the default icon in glint (several did) then a file
named /tmp/glint.gif was created.  The file always had the same name
and would follow symlinks as well, allowing ANY file on ANY mounted
filesystem to be overwritten when root ran Glint.  I forgot to report this
because I realized it shortly before upgrading to 6.2 so it never got 
reported.
Because many people still use RHL 5.2 and apparently some still use
Glint, I think it is important to put out an errata on this and fix glint. 
 The
offensive code is in area.py (part of glint lib):

.....
       if (package.getIcon()):
            f = open("/tmp/glint.gif", "w")
            f.write(package.getIcon())
            f.close()
            image = RHPhoto()
            image.read("/tmp/glint.gif")
    
            self.imageList.append(image)
.....

I don't know python so I can't submit a patch, but I'd suggest either 
moving
the file to the user's home directory or adding random characters onto the
end of the name.  PID would be to predictable.

-Stan Bubrouski

Comment 1 Trond Eivind Glomsrxd 2000-09-15 19:04:19 UTC
Fixed in 2.6.3, which will be released as an errata.

Comment 2 Trond Eivind Glomsrxd 2000-09-26 16:34:07 UTC
We did so last week :)


Note You need to log in before you can comment on or make changes to this bug.