Re: [Audacity-devel] Security problem in the way Audacity handles temporary files (CVE-2007-6061)
A free multi-track audio editor and recorder
Brought to you by:
aosiniao
From: Ismail <is...@pa...> - 2007-12-13 21:34:38
|
Thursday 13 December 2007 23:26:43 tarihinde Gale Andrews =C5=9Funlar=C4=B1= yazm=C4=B1=C5=9Ft=C4=B1: [...] > Richard was CC'd the Gentoo report, so has his change to > AudacityApp.cpp on 1st December: > > "Default the temp dir not to use the audacity version number (easier to > document). This is a potential security problem if the running user > doesn't own the temp directory but adding a check for this means using > platform-specific calls I think." > > already fixed this? I don't think so, it even mentions extra security problem see=20 "This is a potential security problem if ". The fix is to create randomly=20 named temporary directories using mkdtemp and friends. Regards, ismail =2D-=20 Never learn by your mistakes, if you do you may never dare to try again. |