I was following that Glint thread on redhat-devel list and it reminded me
of something I noticed a long time ago in Glint on Red Hat Linux 5.2:
There is a HUGE race condition in Glint that shipped with RHL 5.2 and
probably previous that needs to be fixed. When using glint if a package
has an icon other than the default icon in glint (several did) then a file
named /tmp/glint.gif was created. The file always had the same name
and would follow symlinks as well, allowing ANY file on ANY mounted
filesystem to be overwritten when root ran Glint. I forgot to report this
because I realized it shortly before upgrading to 6.2 so it never got
Because many people still use RHL 5.2 and apparently some still use
Glint, I think it is important to put out an errata on this and fix glint.
offensive code is in area.py (part of glint lib):
f = open("/tmp/glint.gif", "w")
image = RHPhoto()
I don't know python so I can't submit a patch, but I'd suggest either
the file to the user's home directory or adding random characters onto the
end of the name. PID would be to predictable.
Fixed in 2.6.3, which will be released as an errata.
We did so last week :)