[PATCH] unsafe /tmp usage of kmailcvt
Waldo Bastian
bastian at kde.org
Sun Nov 17 12:56:32 GMT 2002
kmailcvt uses a tempfile in /tmp which can be abused with a symlink attack to
overwrite arbitrary files of the user. The following patch cures the problem
by using KTempFile.
THIS PATCH STILL NEEDS TESTING! Specifically, someone with an outlook express
4.2 (?) and/or 5.2 (?) mail folder should test whether kmailcvt can still
import them into kmail.
Thanks to Per Winkvist for pointing out the problem.
Cheers,
Waldo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kmailcvt.diff
Type: text/x-diff
Size: 5665 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20021117/6346fcf7/attachment.diff>
More information about the kde-core-devel
mailing list