indicator-weather doesn't not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:
if os.path.exists(pidPath):
... do stuff
else:
self.lasterror=False
if not self.lasterror:
fp=open(pidPath, 'w')
fp.write(str(os.getpid()))
fp.close()
This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails.
Binary package hint: indicator-weather
indicator-weather doesn't not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:
if os.path. exists( pidPath) : lasterror= False
... do stuff
else:
self.
if not self.lasterror: open(pidPath, 'w') write(str( os.getpid( )))
fp=
fp.
fp.close()
This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails.