Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 985017 - p11-kit: TEMP environment variable
p11-kit: TEMP environment variable
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: p11-kit (Show other bugs)
6.5
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Stef Walter
Aleš Mareček
:
Depends On:
Blocks: 983512
  Show dependency treegraph
 
Reported: 2013-07-16 10:56 EDT by Florian Weimer
Modified: 2013-11-21 06:39 EST (History)
3 users (show)

See Also:
Fixed In Version: p11-kit-0.18.5-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 06:39:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
tools: Use $TMPDIR instead of $TEMP (8.54 KB, patch)
2013-07-17 03:58 EDT, Stef Walter 		no flags Details | Diff
tools: Use $TMPDIR instead of $TEMP (9.46 KB, patch)
2013-07-18 05:58 EDT, Stef Walter 		no flags Details | Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2013:1626 normal SHIPPED_LIVE new packages: p11-kit 2013-11-20 16:53:58 EST

  None (edit)
Description Florian Weimer 2013-07-16 10:56:40 EDT 
common/path.c:expand_tempdir() uses TEMP instead of the more standard TMPDIR variable.  It is unclear whether there are any secure uses of $TEMP in configuration settings.
Comment 2 Stef Walter 2013-07-16 11:36:55 EDT 
Interesting. I should look back and see why we're expanding those variables. Maybe we can drop $TEMP if it's only used in tests anyway.
Comment 3 Stef Walter 2013-07-17 03:58:07 EDT 
Created attachment 774656 [details]
tools: Use $TMPDIR instead of $TEMP

TMPDIR is a more standard environment variable for locating the
temp directory on Unix. In addition since this is only used in
tests, remove the code from the generic p11_path_expand() func.

In general remove the possibility for forks to put $HOME or $TEMP
environment variables in configured paths. This was possible
due to code in p11_path_expand() but not something we supported.
Comment 4 Stef Walter 2013-07-18 05:58:59 EDT 
Created attachment 775239 [details]
tools: Use $TMPDIR instead of $TEMP

TMPDIR is a more standard environment variable for locating the
temp directory on Unix. In addition since this is only used in
tests, remove the code from the generic p11_path_expand() func.

In general remove the possibility for forks to put $HOME or $TEMP
environment variables in configured paths. This was possible
due to code in p11_path_expand() but not something we supported.
Comment 5 Stef Walter 2013-07-18 10:04:16 EDT 
Pushed to p11-kit git stable branch, released as part of p11-kit 0.18.5. Package built for RHEL 6.5.
Comment 7 Karel Srot 2013-07-30 05:55:38 EDT 
Hi Stef,
could you please provide sample code or reproducer that allows us to verify that the TMPDIR setting is properly followed? Thank you.
Comment 8 Stef Walter 2013-07-30 06:01:45 EDT 
TMPDIR is only used in test cases, so you would use the built test cases in the 0.18.5 source code to verify. Any test case that contains the function call of test_temp_directory() would be appropriate. So for example.

You can run something like:

$ TMPDIR=/blah libtool --mode=execute strace -e open tools/tests/test-save

And you should get a failure like this:

p11-kit: couldn't create temp directory: /blah/test-extract.aUCiib: No such file or directory
lt-test-save: test.c:262: test_temp_directory: Assertion `0 && "not reached"' failed.
Aborted (core dumped)
Comment 14 errata-xmlrpc 2013-11-21 06:39:47 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1626.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.