Summary: | app-misc/screen /tmp/screen-exchange Insecure Temporary File (CVE-2009-{1214,1215}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED UPSTREAM | ||
Severity: | normal | CC: | shell-tools, swegener |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=492104 | ||
Whiteboard: | A3 [ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2009-04-01 23:49:11 UTC
See bug #95273, we've changed the default buffer file to $HOME/.screen_exchange. And for the default location, screen checks whether it's a hardlink or symlinks and rejects to write to it. See the explanation in the redhat bug as reference. There is still a race, if someone replaces the regular exchange file with a link to a file having the same dev and inode number, but that is highly unlikely. Oh, I was not aware of that change in defaults. Since there is no reason for the program to handle files securely in a user's home directory, I'm closing this as UPSTREAM. A user could still configure screen to use /tmp as a directory for exchange files, however that is at the user's discretion and risk (for both data disclosure and race confidition). If screen upstream is going to consider the race condition an issue, we'll get the updates via the usual channel anyway -- no need for priority handling. |