Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 17544 - HUGE race condition in Glint
HUGE race condition in Glint
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: glint (Show other bugs)
5.2
All Linux
high Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-15 13:30 EDT by SB
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-09-15 15:06:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description SB 2000-09-15 13:30:36 EDT 
I was following that Glint thread on redhat-devel list and it reminded me
of something I noticed a long time ago in Glint on Red Hat Linux 5.2:

There is a HUGE race condition in Glint that shipped with RHL 5.2 and
probably previous that needs to be fixed.  When using glint if a package
has an icon other than the default icon in glint (several did) then a file
named /tmp/glint.gif was created.  The file always had the same name
and would follow symlinks as well, allowing ANY file on ANY mounted
filesystem to be overwritten when root ran Glint.  I forgot to report this
because I realized it shortly before upgrading to 6.2 so it never got 
reported.
Because many people still use RHL 5.2 and apparently some still use
Glint, I think it is important to put out an errata on this and fix glint. 
 The
offensive code is in area.py (part of glint lib):

.....
       if (package.getIcon()):
            f = open("/tmp/glint.gif", "w")
            f.write(package.getIcon())
            f.close()
            image = RHPhoto()
            image.read("/tmp/glint.gif")
    
            self.imageList.append(image)
.....

I don't know python so I can't submit a patch, but I'd suggest either 
moving
the file to the user's home directory or adding random characters onto the
end of the name.  PID would be to predictable.

-Stan Bubrouski
Comment 1 Trond Eivind Glomsrxd 2000-09-15 15:04:19 EDT 
Fixed in 2.6.3, which will be released as an errata.
Comment 2 Trond Eivind Glomsrxd 2000-09-26 12:34:07 EDT 
We did so last week :)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.