On Tue, 6 Sep 2011 16:08:29 +0200 Vincent Lefevre wrote: > On 2011-09-06 14:05:59 +0200, Chung-chieh Shan wrote: > > No, we should not assume that TMPDIR is set by a malicious agent; that > > is possible but it is also possible that TMPDIR is set by a friendly > > agent whose goal is to increase the security of the system by putting > > temporary files in a secure place inacessible to other, malicious users. > > > > The correct thing to do is to respect the setting of TMPDIR precisely. > > If the value of TMPDIR contains any special characters, xpdf should put > > any temporary files in that directory, whose name contains the same > > special characters. That is what is achieved by Jonathan Nieder's fix > > The fix is fine; however $TMPDIR should not contain spaces and other > special characters because various tools don't support them (starting > with the autotools). Of course, it's better to have a program that > works correctly even in the case where $TMPDIR has special characters.
OK, nevertheless if an attacker has control of TMPDIR, you have much worse problems, so this is not security-relevant. I agree to fix this based on the fact that it is indeed more correct, but I'm not treating it with any urgency. If you want to make sure I remember to fix it, please open a new bug. Thanks, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
