The review of /tmp usage in Debian is proving to be a wonderful task,
6340 different packages have an occurance of /tmp (when unpacked, so it's
compiled code or scripts, not sources), out of these 979 seem to have
unsafe usage of temporary files (temporary files have fixed names, not even
$$ is used).
I've generated the reports based on the attached file which just takes a
pool of Debian packages, unpacks them and runs grep to find /tmp
occurances. When run, it will produce 24799 files totalling 34Mb!
Since reviewing so many reports is cumbersome, I've decided to rewiew the
biggest one (usually those that use /tmp most) and have openened up some
bug reports, and have ordered the rest based on popularity (script
attached) to review them one by one.
I'm just sharing these scripts in case they are useful for other members of
the audit team.
Regards
Javier
sort-reports.pl
Description: Text Data
generate-report-tmp.pl
Description: Text Data
signature.asc
Description: Digital signature
|
