Package: spread Severity: normal Tags: security Hi,
recently, a bug about insecure temporary file handling was filed in Ubuntu [1]. After looking into the code, it does not seem that bad at all (removal of an already existing file which might be important, and a small race condition for a local DoS). However, it should be cleaned up. "On start, spread creates a file /tmp/PORTNUMBER where PORTNUMBER is 4803 by default. If an existing file named /tmp/PORTNUMBER exists, it will be deleted before a socket with the same name is created." It probably does not deserve a CVE number, but now that it has got one, please mention it in the changelog when you fix this (CVE-2006-3118). Can you please pass this to upstream? Thanks, Martin [1] https://launchpad.net/bugs/44171 -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
