| Subject: | Race conditions in puudecode. |
Hello,
I've changed the code a little in puudecode to implement File::Temp
and rename. This ensures that the file is never available with the
wrong content or permissions. I would share my code if I was more
confident in it's correctness. File::Temp might not be the correct tool
as it doesn't allow for secure creation of files and also advocates
against using the file name as my code does when calling chmod and
rename. For example an attacker could open the file after it's created
and prior to the chmod. IIRC the file mode is only consulted during the
open call, later accesses to the contents are does irregardless of the
current file mode.
I'm certain you can find instances of uudecode that have the same attack
vectors, but those are _also_ security threats needing patches.
AYMK creating a file and filling it with contents in-place creates an
opening for applications to read an incomplete copy of the files data.
This can cause trouble/errors/bugs. To avoid this it's better to fill a
new file with data and then rename the new file over-top of the file
it's updating. Because a rename is atomic applications reading the old
or new file will not have to have code to handle partial updates safely.
This is the main focus of my changes, but there are several attack
vectors and thus my code is insecure even if it won't cause bugs.
Cheers.