[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nano-devel] [PATCH 2/2] use futimens() if available, instead of uti

From: Mike Frysinger
Subject: Re: [Nano-devel] [PATCH 2/2] use futimens() if available, instead of utime()
Date: Sun, 28 Nov 2010 17:17:37 -0500
User-agent: KMail/1.13.5 (Linux/2.6.36; KDE/4.5.2; x86_64; ; )

On Sunday, November 28, 2010 15:13:38 Kamil Dudka wrote:
> On Thursday 19 August 2010 15:34:12 Kamil Dudka wrote:
> > the attached patch eliminates a race condition on the call of utime()
> > on systems that have futimens().  In the current code, there is a similar
> > flaw as described in CVE-2010-1161.  Though it's not possible to change
> > the ownership of the backup file using a symlink attack, it's still
> > possible to change it's atime/mtime.  With the patch applied, there is no
> > such problem as long as futimens() is available during the build time.
> > 
> > Thanks in advance for considering the patch!
> Please find the updated version of the patch.  The original version
> contained a bug that caused futimens() to operate on invalid file
> descriptor.  A proper fix would be probably to rewrite copy_file() such
> that it does not close the given streams.  Is such a change welcome?

typically people dont patch generated files (configure/config.h).  ignoring 
that, this change doesnt handle the case where futimens() is ENOSYS.  rather 
than rewriting your own custom shims, how about using gnulib instead ?

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]