Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

To: Thijs Kinkhorst <thijs@debian.org>, 496361@bugs.debian.org
Subject: Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
From: Rene Engelhard <rene@debian.org>
Date: Mon, 25 Aug 2008 12:53:50 +0200
Message-id: <[🔎] 20080825105350.GJ29434@rene-engelhard.de>
Reply-to: Rene Engelhard <rene@debian.org>, 496361@bugs.debian.org
In-reply-to: <[🔎] 200808250952.13340.thijs@debian.org>
References: <[🔎] 200808250952.13340.thijs@debian.org>

Hi,

Thijs Kinkhorst wrote:
> Rene Engelhard wrote:
> > I so far thought mktemp was safe enough? (of course, we get
> > senddoc.mutt.<number>, but...
> 
> mktemp is safe enough. I think Dmitry refers to lines 3 and 4 of that script:
> 
> echo "$@" > /tmp/log.obr.$$
> echo "$#" >> /tmp/log.obr.$$
> 
> which I agree should not be there, probably leftover debug code?

Sigh. Yes, looks like it. (Checked with the 3.0 packages, which don't have
those lines anymore).

Regards,

Rene

Reply to:

References:
- Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Processed: notfixed 496361 in 1:2.4.1-7
Next by Date: Processed: tagging 496361
Previous by thread: Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Next by thread: Bug#496392: The possibility of attack with the help of symlinks in some Debian packages
Index(es):
- Date
- Thread