2011-02-16 15:06:13 |
Jamie Strandboge |
bug |
|
|
added bug |
2011-02-16 15:06:29 |
Jamie Strandboge |
description |
Binary package hint: indicator-weather
indicator-weather doesn't not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:
if os.path.exists(pidPath):
... do stuff
else:
self.lasterror=False
if not self.lasterror:
fp=open(pidPath, 'w')
fp.write(str(os.getpid()))
fp.close()
This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails. |
Binary package hint: indicator-weather
indicator-weather does not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:
if os.path.exists(pidPath):
... do stuff
else:
self.lasterror=False
if not self.lasterror:
fp=open(pidPath, 'w')
fp.write(str(os.getpid()))
fp.close()
This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails. |
|
2011-02-16 15:12:39 |
Jamie Strandboge |
security vulnerability |
no |
yes |
|
2011-02-16 15:14:41 |
Jamie Strandboge |
description |
Binary package hint: indicator-weather
indicator-weather does not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:
if os.path.exists(pidPath):
... do stuff
else:
self.lasterror=False
if not self.lasterror:
fp=open(pidPath, 'w')
fp.write(str(os.getpid()))
fp.close()
This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails. |
Binary package hint: indicator-weather
indicator-weather does not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:
pidPath = "/tmp/weather-indicator.pid"
if os.path.exists(pidPath):
... do stuff
else:
self.lasterror=False
if not self.lasterror:
fp=open(pidPath, 'w')
fp.write(str(os.getpid()))
fp.close()
This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails. |
|
2011-02-16 15:17:07 |
Vadim Rutkovsky |
indicator-weather (Ubuntu): status |
New |
Confirmed |
|
2011-02-16 15:17:14 |
Vadim Rutkovsky |
bug task added |
|
weather-indicator |
|
2011-02-16 15:17:28 |
Vadim Rutkovsky |
weather-indicator: importance |
Undecided |
Low |
|
2011-02-16 15:17:28 |
Vadim Rutkovsky |
weather-indicator: status |
New |
Confirmed |
|
2011-02-16 15:17:28 |
Vadim Rutkovsky |
weather-indicator: milestone |
|
11.02.27 |
|
2011-02-16 15:17:28 |
Vadim Rutkovsky |
weather-indicator: assignee |
|
Vadim Rutkovsky (roignac) |
|
2011-02-16 22:08:37 |
Vadim Rutkovsky |
weather-indicator: status |
Confirmed |
Fix Committed |
|
2011-02-16 22:09:32 |
Launchpad Janitor |
branch linked |
|
lp:~roignac/weather-indicator/11.02.13 |
|
2011-03-20 11:23:50 |
Vadim Rutkovsky |
weather-indicator: status |
Fix Committed |
Fix Released |
|
2011-03-20 18:13:05 |
Andrew Starr-Bochicchio |
indicator-weather (Ubuntu): status |
Confirmed |
Triaged |
|
2011-03-20 18:13:08 |
Andrew Starr-Bochicchio |
indicator-weather (Ubuntu): importance |
Undecided |
Low |
|
2011-03-21 02:25:11 |
Launchpad Janitor |
indicator-weather (Ubuntu): status |
Triaged |
Fix Released |
|
2011-04-27 03:58:11 |
Launchpad Janitor |
branch linked |
|
lp:~ken-vandine/weather-indicator/no_desktopcouch_packaging |
|