From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-30645-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 28894 invoked by alias); 29 Aug 2012 23:14:01 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 30645
Received: (qmail 3766 invoked from network); 29 Aug 2012 23:14:01 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_LOW,
	T_DKIM_INVALID,T_TO_NO_BRKTS_FREEMAIL autolearn=no version=3.3.2
Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.google.com designates 209.85.160.43 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:content-type:content-transfer-encoding:subject:date:message-id
         :to:mime-version:x-mailer;
        bh=eXcNbKBDd9xPEG5V2CEUvcfb5lOaPOpoFMwHMwQJDCQ=;
        b=QRTnagGAhuoXmCWWEhTnl3vjUI5I3L4nZ8DAlP3/IBpk3uLn0xKifS4NdVt6xbF1n9
         BkkHHJ+kQhC1l+K5yNS5REy0+90vRcIGBTKTBqGZULFIrYQ4tIelRusrzSAULFBlpfV+
         Yp2O6eC3Nos3KUBhfA1pCmJU2+CyrlcQtNz2lJ10MdH1YI0iFiwmrWrOATMeDEULQyIU
         rTxWrNEKe9djG+ZRV/czzlu3CcTWCDwzqajbW0gAc8YKgVg+mKWYdGWuMm1fNiXfqQqF
         DUgLAGnTFYOChhwqJHvbiIPNi2RTqREz5l48VdEUxJ9VCRER3OppX5cUwofYvCK7McIx
         WNVA==
From: Jeremy Mates <jeremy.mates@gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: default TMPPREFIX unsafe if local malicious users
Date: Wed, 29 Aug 2012 16:13:53 -0700
Message-Id: <10BDFE08-7B52-4775-BD19-C5A1B7498202@gmail.com>
To: zsh-workers@zsh.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)

The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite should =
a local malicious user have write access to /tmp, for example if the =
target user uses the Functions/Zle/edit-command-line feature after the =
following is performed:

  for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; =
done

This issue could perhaps be avoided by locally setting the NOCLOBBER =
option for all code that uses TMPPREFIX, or by providing a mktemp(3) =
interface (if available)?

Jeremy=