Re: [gmail] Re: sponsor quake3 quake3-data packages

[Justin Pryzby <justinpryzby@users.sourceforge.net>]

On Thu, Nov 10, 2005 at 02:31:09PM +0100, Marc Leeman wrote:
> > (most of these problems are probably inherited from the quake2
> > packaging you used). You will have to fix most of these before
> > someone should sponsor the package.
> 
> > W: quake3-data: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:225
> 
> I use /tmp/ for the place to download the point and demo files. This
> used to be /root/. Since I do not think temporary installs should be
> dl'd there, I moved them to tmp. The extraction of the file is done in a
> dir with tempfile. I could move this one level deeper and again use
> tmpfile, but from a functional point of view, this does not change much,
> especially since the warning only kicks in when the default from
> templates is emptied out in the user interaction.
Lintian is right, if for the wrong reason.

  tempdir() {
      _TEMPDIR=`tempfile --directory $1 --prefix quake3-data`
      # kill off fresh tempfile
      rm $_TEMPDIR
      mkdir $_TEMPDIR
      echo $_TEMPDIR
  }

That is a tag + security race condition between rm and mkdir.  You'll
want to use mktemp -d instead.

I didn't look at your script closely; there may be other problems.
Nothing should ever get written to /tmp/ except if the output filename
is the result of a successful ($?==0) call to mktemp or tempfile.

-- 
Clear skies,
Justin