On Wed, Jan 22, 2014 at 19:09:24 +0100, Helmut Grohne wrote:
> Package: syncevolution
> Version: 1.0+ds1~beta2a-2
> Severity: important
> Tags: security
> 
> Dear Maintainer,
> 
> Your package contains a funny tmp file vulnerability.
> 
> $ grep 'mktemp`\.' -r .
> ./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx
> ./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o
> $
> 
> Both of them are doing it wrong. They create a secure tempfile, but don't
> use it and instead generate a (now) predictable(!) name without opening
> it in a safe (O_CREAT) way.

Hi,

could you point out in more detail what is wrong here, and how it
should be done right?

Regards,
Tino


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to