Bug#811455: RFS: qhttpengine/0.1.0+dfsg1-1 [ITP]

To: 811455@bugs.debian.org
Subject: Bug#811455: RFS: qhttpengine/0.1.0+dfsg1-1 [ITP]
From: Jakub Wilk <jwilk@debian.org>
Date: Tue, 24 May 2016 10:47:00 +0200
Message-id: <[🔎] 20160524084649.GA7214@jwilk.net>
Reply-to: Jakub Wilk <jwilk@debian.org>, 811455@bugs.debian.org
In-reply-to: <[🔎] 5743CC8A.40809@quickmediasolutions.com>
References: <569DDEE9.1080808@quickmediasolutions.com> <360676473.2048657.1459540282248.JavaMail.yahoo@mail.yahoo.com> <[🔎] 20160523091158.GA5600@chase.mapreri.org> <[🔎] 5743CC8A.40809@quickmediasolutions.com>

* Nathan Osman <nathan@quickmediasolutions.com>, 2016-05-23, 20:37:

I worked around this problem by manually setting $HOME to /tmp indebian/rules. Please let me know if there is anything wrong with this.

Yes, this is very wrong. /tmp is world-writable and therefore notsuitable for a home directory. In some cases setting HOME=/tmp couldallow a malicious local user to execute arbitrary code with theprivileges of the building user.

Please set HOME to a subdirectory of cwd, which can be safely assumed tobe writable only by the building user. $(CURDIR)/debian/tmp/tmp might bea convenient choice.


--
Jakub Wilk

Reply to:

References:
- Bug#811455: RFS: qhttpengine/0.1.0+dfsg1-1 [ITP]
  - From: Mattia Rizzolo <mattia@debian.org>
- Bug#811455: RFS: qhttpengine/0.1.0+dfsg1-1 [ITP]
  - From: Nathan Osman <nathan@quickmediasolutions.com>

Prev by Date: Bug#811455: RFS: qhttpengine/0.1.0+dfsg1-1 [ITP]
Next by Date: Bug#819395: RFS: stormlib-listfiles/2015-04-20-1 [ITP]
Previous by thread: Bug#811455: RFS: qhttpengine/0.1.0+dfsg1-1 [ITP]
Next by thread: Bug#812216: marked as done (RFS: libopenshot-audio/0.0.6+ds1-1 [ITP])
Index(es):
- Date
- Thread