Comment 20 for bug 357024

2009-04-15 20:39:32 -0000, Jamie Strandboge:
> Marked as 'Low' based on the attack vector being limited to a timing-
> based symlink attack. Will update as needed as the impact is further
> evaluated.
[...]

It's a:

if (condition) action

race condition where there's an easy and obvious way (there
might be even simpler ways I've not thought of) for an attacker
to make the window for the race condition as large as he wishes,
so I wouldn't really call it a "timing based" one.

It's really a classical one which looks just like the poor
"cleaning /tmp scripts" found on some systems. I just found out
there's even a lengthy section about that in GNU find
documentation:

info find 'Security Considerations'

--
Stephane