Bug 17544 - HUGE race condition in Glint
Summary: HUGE race condition in Glint
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glint
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Trond Eivind Glomsrxd
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-09-15 17:30 UTC by SB
Modified: 2008-05-01 15:37 UTC (History)
0 users

Clone Of:
Last Closed: 2000-09-15 19:06:08 UTC

Attachments (Terms of Use)

Description SB 2000-09-15 17:30:36 UTC
I was following that Glint thread on redhat-devel list and it reminded me
of something I noticed a long time ago in Glint on Red Hat Linux 5.2:

There is a HUGE race condition in Glint that shipped with RHL 5.2 and
probably previous that needs to be fixed.  When using glint if a package
has an icon other than the default icon in glint (several did) then a file
named /tmp/glint.gif was created.  The file always had the same name
and would follow symlinks as well, allowing ANY file on ANY mounted
filesystem to be overwritten when root ran Glint.  I forgot to report this
because I realized it shortly before upgrading to 6.2 so it never got 
Because many people still use RHL 5.2 and apparently some still use
Glint, I think it is important to put out an errata on this and fix glint. 
offensive code is in area.py (part of glint lib):

       if (package.getIcon()):
            f = open("/tmp/glint.gif", "w")
            image = RHPhoto()

I don't know python so I can't submit a patch, but I'd suggest either 
the file to the user's home directory or adding random characters onto the
end of the name.  PID would be to predictable.

-Stan Bubrouski

Comment 1 Trond Eivind Glomsrxd 2000-09-15 19:04:19 UTC
Fixed in 2.6.3, which will be released as an errata.

Comment 2 Trond Eivind Glomsrxd 2000-09-26 16:34:07 UTC
We did so last week :)

Note You need to log in before you can comment on or make changes to this bug.