Bug#521107: unsafe /tmp usage
Usertags: origin-ubuntu jaunty
There is a bug in the Ubuntu bug tracker about xfs's init script being used
in an unsafe fashion. It seems that OpenSUSE has solved this as well:
"set_up_socket_dir moves /tmp/.font-unix to /tmp/.font-unix.$$.
Unfortunately $$ is predictable and there is no test, that
/tmp/.font-unix.$$ does not already exist. So especially symlink attacks
are possible. The attack is only possible, if /tmp/.font-unix does not
already exist. Then an attacker could create an /tmp/.font-unix file (not
directory) and create some symlinks in the form /tmp/.font-unix.XXXX (where
XXXX are possible PID numbers). The start script than moves /tmp/.font-unix
to an symlinked directory /tmp/.font-unix.XXXX."
Kees Cook @debian.org