Re: severity for bugs in ignoring TMP/TMPDIR?
On 10/02/2012, Paul Wise <email@example.com> wrote:
> On Sun, Feb 5, 2012 at 10:51 AM, Paul Wise wrote:
>> If I notice that software in Debian is ignoring TMP/TMPDIR (since I use
>> libpam-tmpdir), what severity should I file the resulting bugs at?
> I'll file them at wishlist as suggested by the second mail in this thread.
If you (or the maintainer) review the code or analyse the program's
behaviour and it is using *fixed* (i.e. not random) filenames for the
temporary files or for the directories they are created in (/tmp or
/var/tmp), you might want to suggest the maintainer to review if the
code in charge of creating temporary files is doing this properly.
When in 2004-2006 I reviewed  programs in the archive using
temporary files in fixed locations (i.e. /tmp and /var/tmp) I found a
number of security vulnerabilities which were all instances of this
- CWE-377: Insecure Temporary File -
- CWE-379: Creation of Temporary File in Directory with Incorrect
- CWE-378: Creation of Temporary File With Insecure Permissions -
I'm sure the situation has *not* improved since then.
 Acting as member of Debian Security Audit Team . A full list of
advisories at http://www.debian.org/security/audit/advisories