On Wed, Jan 22, 2014 at 19:09:24 +0100, Helmut Grohne wrote: > Package: syncevolution > Version: 1.0+ds1~beta2a-2 > Severity: important > Tags: security > > Dear Maintainer, > > Your package contains a funny tmp file vulnerability. > > $ grep 'mktemp`\.' -r . > ./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx > ./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o > $ > > Both of them are doing it wrong. They create a secure tempfile, but don't > use it and instead generate a (now) predictable(!) name without opening > it in a safe (O_CREAT) way.
Hi, could you point out in more detail what is wrong here, and how it should be done right? Regards, Tino -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

