476068 – Post install is a potential security risk.

Bug 476068 - Post install is a potential security risk.

Summary: Post install is a potential security risk.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dmraid
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	LVM and device-mapper development team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-11 19:32 UTC by Daniel Walsh
Modified:	2008-12-11 21:58 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-12-11 21:11:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Walsh 2008-12-11 19:32:41 UTC

Description of problem:

You are using easily guess able /tmp files that a hacker could create and cause a root process to do some evil things.

Either use /var/run or mktemp to create the temporary file.

This effects all Rawhide, F10 and RHEL5 at least.

Comment 1 Milan Broz 2008-12-11 19:53:47 UTC

Daniel, I think that this problem is not in rawhide nor F10.

RHEL5 rpm was reverted from compose, we found that problem too already,
and this package will be not released.

Please can you provide exact version of spec which is affected?

Comment 2 Alasdair Kergon 2008-12-11 21:11:31 UTC

I can't see the problem in fedora either.

%post libs -p /sbin/ldconfig

Please reopen if you're referring to something else we've missed.

Comment 3 Daniel Walsh 2008-12-11 21:58:13 UTC

ok, thanks.

Note You need to log in before you can comment on or make changes to this bug.