ec2-bundle-image and ec2-unbundle-image use single, static named fifo in /tmp

Bug #439788 reported by Scott Moser
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ec2-ami-tools (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: ec2-ami-tools

the ec2-bundle-image and ec2-unbundle-image tools make fifos in /tmp with names of ec2-bundle-image-digest and ec2-unbundle-image-digest respectively. This is potentially a security issue, and definitely it means that 2 processes can't be doing this at the same time.

The proposed patch attached uses random filename in /tmp for feeding to mkfifo. It also turns down the permissions on the fifo that is created using '--mode' flag to mkfifo.

Revision history for this message
Scott Moser (smoser) wrote :
Scott Moser (smoser)
Changed in ec2-ami-tools (Ubuntu):
assignee: Scott Moser (smoser) → nobody
Revision history for this message
Fabrice Coutadeur (fabricesp) wrote :

Hi,

This patch makes sense.

Can you check with upstream his position on that?

Thanks,
Fabrice

Revision history for this message
Scott Moser (smoser) wrote :

I posted in the ec2 forum : http://developer.amazonwebservices.com/connect/thread.jspa?threadID=37039
I'm not sure there is a better way to interact with the upstream in this case.

Revision history for this message
Scott Moser (smoser) wrote :

fix-released in 1.3-34544-0ubuntu3 .
Additionally, I got some feedback from a amazon developer indicating that they will include this in future releases.

Changed in ec2-ami-tools (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.