parfumix / gource

Automatically exported from code.google.com/p/gource
0 stars 0 forks source link

vulnerability: rewrite arbitrary user file #78

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Hi, I've just discovered that gource is vulnerable to rewriting any user file:

    uid_t myuid = getuid();
    sprintf(logfile_buff, "/tmp/gource-%d.tmp", myuid);
    temp_file = std::string(logfile_buff);
...
    sprintf(cmd_buff, "%s > %s", command.c_str(), temp_file.c_str());

Attacker can create link to any user file, this one will be overwritten on next 
gource run.

Thanks.

Original issue reported on code.google.com by segooon@gmail.com on 19 Jul 2010 at 4:44

GoogleCodeExporter commented 8 years ago
Hi. This was fixed a while ago in 0.26b

Cheers

Andrew

Original comment by acaudw...@gmail.com on 20 Jul 2010 at 7:11