digitalmars.D.bugs - [Issue 6172] New: rdmd: insecure temporary file creation
- d-bugmail puremagic.com (21/21) Jun 17 2011 http://d.puremagic.com/issues/show_bug.cgi?id=6172
- d-bugmail puremagic.com (15/15) Jul 22 2011 http://d.puremagic.com/issues/show_bug.cgi?id=6172
- d-bugmail puremagic.com (12/12) Apr 28 2012 http://d.puremagic.com/issues/show_bug.cgi?id=6172
- d-bugmail puremagic.com (11/11) Apr 28 2012 http://d.puremagic.com/issues/show_bug.cgi?id=6172
- d-bugmail puremagic.com (12/12) Apr 28 2012 http://d.puremagic.com/issues/show_bug.cgi?id=6172
http://d.puremagic.com/issues/show_bug.cgi?id=6172
Summary: rdmd: insecure temporary file creation
Product: D
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P2
Component: DMD
AssignedTo: nobody puremagic.com
ReportedBy: edelkind+puremagic gmail.com
--- Comment #0 from ari edelkind <edelkind+puremagic gmail.com> 2011-06-17
10:17:34 PDT ---
rdmd will create temporary files in /tmp/.rdmd . A malicious user could
pre-create such a directory and link target files elsewhere.
A more appropriate location for temporary files would be under the user's home
directory (e.g. $HOME/.rdmd). If the user's home directory is unwritable, then
/tmp/.rdmd.[random] may be used.
--
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Jun 17 2011
d-bugmail puremagic.com
http://d.puremagic.com/issues/show_bug.cgi?id=6172
gslopsema+dbugzilla gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |gslopsema+dbugzilla gmail.c
| |om
--- Comment #1 from gslopsema+dbugzilla gmail.com 2011-07-22 13:38:58 PDT ---
Not assigned to me, however a patch which appends a string of random numbers to
/tmp/.rdmd can be found at
https://github.com/garslo/tools/commit/c19361441bf6546dfde2c450187c46856dd41965
with pull request
https://github.com/D-Programming-Language/tools/pull/4
--
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Jul 22 2011
http://d.puremagic.com/issues/show_bug.cgi?id=6172
Walter Bright <bugzilla digitalmars.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |bugzilla digitalmars.com
Resolution| |WORKSFORME
--- Comment #2 from Walter Bright <bugzilla digitalmars.com> 2012-04-28
01:44:45 PDT ---
This was pulled and incorporated some time ago.
--
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 28 2012
http://d.puremagic.com/issues/show_bug.cgi?id=6172 --- Comment #3 from ari edelkind <edelkind+puremagic gmail.com> 2012-04-28 05:37:04 PDT --- Given that I reported this issue nearly a year ago, this isn't the sort of response time that I was hoping for with either a security report or a "critical" bug report. For future reference, is there another avenue that I should use to report such issues for a more timely acknowledgement, or is this the sort of response time I should expect? -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------
Apr 28 2012
http://d.puremagic.com/issues/show_bug.cgi?id=6172 --- Comment #4 from Andrei Alexandrescu <andrei metalanguage.com> 2012-04-28 08:26:45 PDT --- If an issue stops from getting work done, it's always a good idea to substantiate the reason in the bug report. Also, starting a discussion on the topic at http://forum.dlang.org is helpful. On the face of it this doesn't look like a showstopper. If the matter is absolutely essential, there are many possible workarounds, starting with changing rdmd.d and ending with simply using dmd instead of rdmd for critical work. -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------
Apr 28 2012