tech-toolchain archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: TOCTOU bug in make(1)
Am Thu, Oct 06, 2022 at 01:19:24PM -0500 schrieb Mario Campos:
> I ran CodeQL, a SAST tool, against trunk. It found a TOCTOU vulnerability
> in the `unlink_file` function of make(1). The function is a small wrapper
> over unlink(2), but it first checks that the file exists using lstat(2).
> Although I don't see an immediate danger here, I admit I'm not
> very imaginative for vulnerabilities.
This is necessary for historic reasons because old UNIX systems allows
unlink(2) on directories with bad consequences.
Joerg
Home |
Main Index |
Thread Index |
Old Index