> Lynx's /tmp file creation procedure is so poor that it isn't the only
> vunerability.
> Source code details/fix:
> In LYUtils.c, they written their own function to make tmp filename, called
> tempname. How it works:
> sprintf(namebuffer,"%sL%d%uTMP.html",lynx_temp_space,getpid(),counter++);
Actually, lynx is using LYNX_TEMP_SPACE instead of TMPDIR,
so setting that one to $HOME/.tmp (or whatever your
favorite place is) should help against that temp race.
(Yes, I know that this isn't the real fix, but it's a
quick workaround.)
On a related topic, H. P. Anvin's magicfilter 1.2 package
contains yet another /tmp race. The fix (replacing tmpnam
&& fopen by mkstemp && fdopen is trivial), so I don't
include it.
Please note that this problem is especially dangerous,
since magicfilter will run as root on a typical
installation.
tlr
--
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1