Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library

To: 700360@bugs.debian.org
Subject: Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
From: Giulio Paci <giuliopaci@gmail.com>
Date: Sat, 23 Feb 2013 19:37:14 +0100
Message-id: <[🔎] 51290C5A.50301@gmail.com>
Reply-to: Giulio Paci <giuliopaci@gmail.com>, 700360@bugs.debian.org
In-reply-to: <[🔎] 20130222192657.GC1035@jwilk.net>
References: <[🔎] 5119A4A3.2040204@gmail.com> <[🔎] 20130213202859.GA7239@jwilk.net> <[🔎] 511D9EBE.6080007@gmail.com> <[🔎] 20130219202216.GA4684@jwilk.net> <[🔎] 5123FA76.8050705@gmail.com> <[🔎] 20130220183549.GA5870@jwilk.net> <[🔎] 51252817.1030407@gmail.com> <[🔎] 20130222192657.GC1035@jwilk.net>

Il 22/02/2013 20:26, Jakub Wilk ha scritto:
> * Giulio Paci <giuliopaci@gmail.com>, 2013-02-20, 20:46:
>>>>>>> As far as I can see, src/test/fst_test.h creates temporary files insecurely.
>>>>>> Relevant applications are now using private directory to store temporary files. As far as I can see, this solves the issue.
>>>>> It solves it for Debian, but the problem should be fixed upstream as well. Please notify them about the bug, if you haven't already.
>>>> I already forwarded the patch.
>>> I'm confused. Which patch exactly did you forward?
>> I was referring to 1004_set_tmpdir_default_to_TMPDIR.patch.
> 
> Yup, but that doesn't fix the security hole; it merely allows those who are aware of it to work around it.

Ok, I just re-read the email I sent upstream with the patches and it described the problem in the Debian context.
I just sent another email further explaining the issue and pointing out it is a general issue. In this email I also proposed to fix the issue by setting TMPDIR inside the
test scripts.

Bests,
	Giulio.

Reply to:

Follow-Ups:
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Jakub Wilk <jwilk@debian.org>

References:
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Giulio Paci <giuliopaci@gmail.com>
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Jakub Wilk <jwilk@debian.org>
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Giulio Paci <giuliopaci@gmail.com>
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Jakub Wilk <jwilk@debian.org>
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Giulio Paci <giuliopaci@gmail.com>
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Jakub Wilk <jwilk@debian.org>
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Giulio Paci <giuliopaci@gmail.com>
- Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: uscan: limit search to sourceforge directory?
Next by Date: Re: uscan: limit search to sourceforge directory?
Previous by thread: Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
Next by thread: Bug#700360: RFS: openfst/1.3.3-1 -- weighted finite-state transducers library
Index(es):
- Date
- Thread