I was following that Glint thread on redhat-devel list and it reminded me of something I noticed a long time ago in Glint on Red Hat Linux 5.2: There is a HUGE race condition in Glint that shipped with RHL 5.2 and probably previous that needs to be fixed. When using glint if a package has an icon other than the default icon in glint (several did) then a file named /tmp/glint.gif was created. The file always had the same name and would follow symlinks as well, allowing ANY file on ANY mounted filesystem to be overwritten when root ran Glint. I forgot to report this because I realized it shortly before upgrading to 6.2 so it never got reported. Because many people still use RHL 5.2 and apparently some still use Glint, I think it is important to put out an errata on this and fix glint. The offensive code is in area.py (part of glint lib): ..... if (package.getIcon()): f = open("/tmp/glint.gif", "w") f.write(package.getIcon()) f.close() image = RHPhoto() image.read("/tmp/glint.gif") self.imageList.append(image) ..... I don't know python so I can't submit a patch, but I'd suggest either moving the file to the user's home directory or adding random characters onto the end of the name. PID would be to predictable. -Stan Bubrouski
Fixed in 2.6.3, which will be released as an errata.
We did so last week :)