[Pm-utils] pm-utils 1.2.1 and 1.1.2.5 released
Michael Biebl
mbiebl at gmail.com
Sat Oct 4 15:56:16 PDT 2008
Hi Victor,
thanks for the nice release.
2008/10/4 Victor Lowther <victor.lowther at gmail.com>:
> 1.2.1 Release Announcement
> * pm-utils has support for saving quirks as a HAL FDI file. If
> called with --store-quirks-as-fdi, an .fdi file specific to the
> machine and quirks passed on the command line will be written
> to /tmp/pm-utils-created.fdi.
This sounds dangerous, looks like insecure tmp file usage.
A malicious attacker could create a symlink and this way trick you
overwriting important files.
I see three posibilities:
1.) Use mktemp to create a random name (and tell the user the name).
2.) Store the file in /etc/hal/fdi, isn't it indented for that anyway?
3.) Dump the fdi file to stdout.
Cheers,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
More information about the hal
mailing list