[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bacula-devel] Debian Bacula vuln


Adam Thornton wrote:
> On Dec 9, 2008, at 12:37 PM, Kern Sibbald wrote:
> 
>> On Tuesday 09 December 2008 08:55:23 Peter Mottram wrote:
>>> Dan Langille wrote:
>>>> "The possibility of attack with the help of symlinks in some Debian
>>>> packages"
>>>>
>>>> I heard about the first URL, which leads to the other two:
>>>>
>>>>
>>>> http://web.nvd.nist.gov/view/vuln/detail?execution=e4s1
>>>> http://lists.debian.org/debian-devel/2008/08/msg00347.html
>>>> http://uvw.ru/report.sid.txt
>>>>
>>>> Short version: It's a packaging problem, not a Bacula problem but I
>>>> have not confirmed this.
>>> According to the report at http://uvw.ru/report.sid.txt the problem  
>>> is
>>> insecure use of /tmp on lines 105 to 109 of
>>> examples/autochangers/mtx-changer.Adic-Scalar-24 - looks like a  
>>> bacula
>>> problem and not packaging.
>>>
>>> Easy fix - just use mktemp.
>> This is not really a "Bacula" problem because files in examples are
>> contributed code and not used or "supported" by the project.
> 
> 
> Well, OK, but it really IS an easy fix.  This is not tested, but  
> something like this should suffice:
> 
> ...
> 
> 
> 	   loaded)
> 	       tempfile=`mktemp -t` || exit 33 # Or whatever nonzero exit  
> code is appropriate
> 	       ${MTX} -f $ctl status > $tempfile
> 	      rtn=$?
> 	      cat $tempfile | grep "^Data Transfer Element $drive:Full" | awk  
> '{print $7}'
> 	      cat $tempfile | grep "^Data Transfer Element $drive:Empty" |  
> awk '{print 0}'
> 	      rm -$tempfile
> 	      exit $rtn
> 	      ;;
> ...
> 
> So we just add a call to mktemp (respecting $TMPDIR if set) and bail  
> out with a return code if it fails.  If it  succeds then we just use  
> that filename instead of /tmp/mtx.$$.


Committed revision 8134.

On an unrelated note, why is that a print 0 and not a print $0 or 
something similar.

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Bacula-devel mailing list
Bacula-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/bacula-devel


This mailing list archive is a service of Copilotco.