On Tue, 26 Jul 2011 11:52:27 +0200, Didier Raboud wrote:
As Martin mentionned in the 633870 bugreport, CVE-2011-2684 "could" be fixedin a fixed point release. The proposed debdiff for squeeze is attached (the fix was uploaded to unstable already and given the non-severe nature if this bug I don't think an upload to testing is worth.
Probably not, no.
What do you think ? (And would a fix to lenny be needed ?)
Looking at the patch: ++NEWPWD=`mktemp --tmpdir --directory foo2zjs.XXXXXX` ++cd "$NEWPWD"What happens if mktemp fails? The script in question appears to be neither -e nor -u, so afaics there's the possibility for the code following the above snippet to be run in whatever happens to be the current directory when the script is run.
Regards, Adam