Bug#5298: gcc and /tmp security
Package: gcc
Version: 2.7.2.1-1
gcc creates its temporary files in $TMPDIR (default /tmp) and - guess
what? - doesn't use the O_EXCL open() flag! (verified using strace)
Any user can overwrite files owned by any other user who is running
gcc (including root, so don't do that!) by creating symlinks in /tmp.
Quick workaround: set $TMPDIR to point to some non-world-writable
directory (under $HOME). This really should be fixed upstream (the
problem is not Linux-specific) but maybe we can do it faster...
Marek
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: