Bug 17544 - HUGE race condition in Glint
HUGE race condition in Glint
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: glint (Show other bugs)
5.2
All Linux
high Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-15 13:30 EDT by SB
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-09-15 15:06:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description SB 2000-09-15 13:30:36 EDT
I was following that Glint thread on redhat-devel list and it reminded me
of something I noticed a long time ago in Glint on Red Hat Linux 5.2:

There is a HUGE race condition in Glint that shipped with RHL 5.2 and
probably previous that needs to be fixed.  When using glint if a package
has an icon other than the default icon in glint (several did) then a file
named /tmp/glint.gif was created.  The file always had the same name
and would follow symlinks as well, allowing ANY file on ANY mounted
filesystem to be overwritten when root ran Glint.  I forgot to report this
because I realized it shortly before upgrading to 6.2 so it never got 
reported.
Because many people still use RHL 5.2 and apparently some still use
Glint, I think it is important to put out an errata on this and fix glint. 
 The
offensive code is in area.py (part of glint lib):

.....
       if (package.getIcon()):
            f = open("/tmp/glint.gif", "w")
            f.write(package.getIcon())
            f.close()
            image = RHPhoto()
            image.read("/tmp/glint.gif")
    
            self.imageList.append(image)
.....

I don't know python so I can't submit a patch, but I'd suggest either 
moving
the file to the user's home directory or adding random characters onto the
end of the name.  PID would be to predictable.

-Stan Bubrouski
Comment 1 Trond Eivind Glomsrxd 2000-09-15 15:04:19 EDT
Fixed in 2.6.3, which will be released as an errata.
Comment 2 Trond Eivind Glomsrxd 2000-09-26 12:34:07 EDT
We did so last week :)

Note You need to log in before you can comment on or make changes to this bug.