From b811b3daf4db70df05adecf1715e51a18a2af7c2 Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Tue, 29 Mar 2016 18:45:58 +0000 Subject: [PATCH] Since the job is running as root, and on people.fedoraproject.org, it can be abused by a non admin user using a symlink in /tmp (just a simple for loop over the pid space would be enough). Then we can at best erase a almost arbitrary file (using a creative symlink), or at worst, maybe inject data that could be parsed by a software (since the content would be under the control of a attacker, since that's the list of file in a user home directories. --- roles/clamav/templates/clamscan.sh.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/clamav/templates/clamscan.sh.j2 b/roles/clamav/templates/clamscan.sh.j2 index 8b5d957f9f..0c521806f5 100644 --- a/roles/clamav/templates/clamscan.sh.j2 +++ b/roles/clamav/templates/clamscan.sh.j2 @@ -6,7 +6,8 @@ LOGFILE="/var/log/clamscan.log" MAILTO="{{ clamscan_mailto }}" DAYS=7 -FILELIST="/tmp/clamscan_filelist.$$" +TMPCLAMDIR=$(mktemp -d clamav_ansible.XXXXXX) +FILELIST="$TMPCLAMDIR/clamscan_filelist.$$" rm -f $LOGFILE