Bug#496360: Not a bug for us

To: Romain Beauxis <toots@rastageeks.org>
Cc: 496360@bugs.debian.org, "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Bug#496360: Not a bug for us
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 25 Aug 2008 12:23:58 +0200
Message-id: <20080825102357.GA20815@patate.is-a-geek.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 496360@bugs.debian.org
In-reply-to: <200808251121.25040.toots@rastageeks.org>
References: <200808251121.25040.toots@rastageeks.org>

reopen 496360
severity 496360 important
kthxbye

On Mon, Aug 25, 2008 at 11:21:24 +0200, Romain Beauxis wrote:

> 	Hi !
> 
> Indeed, liguidsoap uses files under /tmp to write logs and dump audio data 
> during the live show.
> 
> We don't consider this as a bug, but as feature (tm).

This is broken.

> Furthermore, this is known to the user, the name is predictible --
> "/tmp/liguidsoap.log" -- and run manually by the user, with no root
> rights.
> 
That makes symlink attacks against root impossible, but it still allows
an attacker to overwrite any file owned by the user running liguidsoap.
Please move the files out of /tmp.

Cheers,
Julien

Reply to:

Follow-Ups:
- Processed: Re: Not a bug for us
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: Not a bug for us
Next by Date: Processed: tagging 496360
Previous by thread: Processed: Re: Bug#496360: The possibility of attack with the help of symlinks in some Debian packages
Next by thread: Processed: Re: Not a bug for us
Index(es):
- Date
- Thread