Bug#344998: lintian: bogus warning about insecure tmpfile handling
tags 344998 patch
thanks
Frank Küster <frank@debian.org> writes:
> Package: lintian
> Version: 1.23.8
> Severity: normal
> W: tetex-bin: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:28
> This line reads:
> : ${MKTMPDIR:=/tmp}
> and in fact the variable MKTMPDIR is only used in invocations of mktemp
> with option -p.
Assuming that variable assignments are going to result in too many false
positives because of cases like this, the attached patch should fix this
problem.
--- lintian-1.23.15/checks/scripts.orig 2006-01-19 05:34:25.000000000 -0800
+++ lintian-1.23.15/checks/scripts 2006-01-21 15:58:55.000000000 -0800
@@ -417,7 +417,7 @@
next if m,^\s*\#,; # skip comment lines
s/\#.*$//; # eat comments
chomp();
- if (m,\W(/var)?/tmp\b, and not m/\bmktemp\b/ and not m/\btempfile\b/ and not m/\bmkdir\b/) {
+ if (m,[^\w=](/var)?/tmp\b, and not m/\bmktemp\b/ and not m/\btempfile\b/ and not m/\bmkdir\b/) {
tag "possibly-insecure-handling-of-tmp-files-in-maintainer-script", "$file:$."
unless $warned_tmp;
$warned_tmp = 1;
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: