[PATCH] unsafe /tmp usage of kmailcvt
Ingo Klöcker
kloecker at kde.org
Sun Nov 17 17:32:10 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sunday 17 November 2002 13:56, Waldo Bastian wrote:
> kmailcvt uses a tempfile in /tmp which can be abused with a symlink
> attack to overwrite arbitrary files of the user. The following patch
> cures the problem by using KTempFile.
>
> THIS PATCH STILL NEEDS TESTING! Specifically, someone with an outlook
> express 4.2 (?) and/or 5.2 (?) mail folder should test whether
> kmailcvt can still import them into kmail.
I guess you are aware of the fact that your patch changes some
translated texts. Is this really necessary? Can't you reuse the old
texts? I see no reason to change e.g.
"FATAL: Cannot open TEMP file '%1'"
to
"FATAL: Cannot open temporary file.".
And even if the new texts are slightly better changing them can really
wait until KDE 3.2.
Apart from that the patch looks OK. I haven't tested it though.
Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE919KaGnR+RTDgudgRAsCiAKCN9JQ3rcJgKGOotFAOhh+R4FNkmgCfUJ1D
kBJBCaoptnwDOnEFx3Su6Xo=
=RiIt
-----END PGP SIGNATURE-----
More information about the kde-core-devel
mailing list