Nico Golde wrote, Mon, 8 Dec 2008 11:25:36 +0100: [...]
Nico Golde wrote, Monday, December 08, 2008 8:36 AM:
[...]
>No this is correct, devscripts is vulnerable to >a symlink attack before the fix (for example signfile()).
[...]
Just had a look again at this issue. It should be no real problem as mktemp creates the file with safe permissions, so this can't be used to overwrite an arbitrary file. Though mktemp is stuck in an endless loop if there is already a symlink present with the template name.
Thanks. In that case, I don't think this needs any RM action; apologies for the noise.
Adam
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
