COMMAND

    mc

SYSTEMS AFFECTED

    Linux (others?)

PROBLEM

    Michal  Zalewski  found  following  race  condition  with Midnight
    Commander  (4.1.8,  RedHat  5.0)  when  mc  is  launched using the
    following shell macro:

    mc=()
    {
        MC=/tmp/mc$$-"$RANDOM";
        /usr/bin/mc -P "$@" >"$MC";
        cd "`cat $MC`";
        rm "$MC";
        unset MC
    }

    Well, unfortunately it isn't secure. $$ is replaced with shell pid
    (not mc pid!) -  usually it's user's login  shell pid, and may  be
    obtained with 'ps au|grep  "\-bash"'. $RANDOM, as everyone  knows,
    generates  pseudo-random  integer  from  range  0..32767.    Well,
    'random' number isn't very  random, but even without  mathematical
    tricks we can  guess it -  when we create  eg. 1000 [sym]links  (a
    few seconds), our chances are about 1/33, and probably target file
    will  be  sooner  or  later  overwritten  with  mc's  last working
    directory.  With 10000 files (it will take maybe a half minute)  -
    our  chances  incerases  to  about  1/3,  but  it  needs more disk
    activity and may be detected...

SOLUTION

    Use mktemp:

        MC=`mktemp mc$$-XXXXXX`

    instead of $RANDOM.