Bug#802476: spellintian: tries to read files from ARRAY(0x...)/profiles/debian

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#802476: spellintian: tries to read files from ARRAY(0x...)/profiles/debian
From: Jakub Wilk <jwilk@debian.org>
Date: Tue, 20 Oct 2015 14:34:13 +0200
Message-id: <[🔎] 20151020123413.GA8466@jwilk.net>
Reply-to: Jakub Wilk <jwilk@debian.org>, 802476@bugs.debian.org

Package: lintian
Version: 2.5.38
Severity: minor
Tags: security

$ strace -o '| grep ARRAY' spellintian < /dev/null
stat64("ARRAY(0x89445f8)/profiles/debian/main.profile", 0x8819164) = -1 ENOENT (No such file or directory)
stat64("ARRAY(0x89445f8)/profiles/debian/ftp-master-auto-reject.profile", 0x8819164) = -1 ENOENT (No such file or directory)

Tagging this security, because it means spellintian can't be usedsecurely when cwd is a world-writable directory, such as /tmp.


--
Jakub Wilk

Reply to:

Prev by Date: Bug#802475: spellintian: "/dev/null is a directory"
Next by Date: Build failed in Jenkins: lintian-tests_wheezy #308
Previous by thread: Bug#802475: spellintian: "/dev/null is a directory"
Next by thread: Build failed in Jenkins: lintian-tests_wheezy #308
Index(es):
- Date
- Thread