severity 496411 important thanks Hi,
Please ignore that previous patch, I sent it to the wrong bug report. The issue is present in the mentioned files. As a matter of fact, there are many more issues, the testset seems to be built around writing things in /tmp with hardcoded filenames. This is dangerous because as I understand it, these tests run as root. However, I would not expect people to run such a test set on production- or multiuser systems. So my solution to this bug would be the following: we (security team) mark the package to be supported unsupported for multi-user, production environments. To that effect a short README.Debian would need to be added to the package that states something like this: === This test suite is only intended to be run on non-production, single user systems. The scripts use various techniques that are exploitable in a context of potentially malicious local users. === It may seem a bit obvious but I think it's better to be explicit than sorry. Can you take care of uploading a version with this change and get it into lenny? Let me know if you need me to make an NMU. cheers, Thijs
pgp1LeEloT6vl.pgp
Description: PGP signature
