Hi, Nico Golde wrote, Monday, December 08, 2008 8:36 AM:
* Adam D. Barratt <adam@adam-barratt.org.uk> [2008-12-08 09:09]: > On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote: > [...]> > Since the filename is predictable, I guess debsign is vulnerable to > > symlink > > attacks and the like (although I'm no security crack, etc., sorry if > > I'm> > overthinking the consequences of this bug). > > I'm not 100% sure myself, to be honest. Security team? No this is correct, devscripts is vulnerable to a symlink attack before the fix (for example signfile()).
Thanks.The code in question is present in lenny, but not etch. I'm assuming that the changes to devscripts since freeze are far too big for the release team to consider pushing the fixed version in directly so this would require a t-p-u upload or DTSA; I've CCed debian-release for their opinion.
(#507482 relates to a similar issue where a few scripts use $$ when creating temporary directories. That issue is fixed in unstable and affects both etch and lenny, but I'm not sure if it warrants an update to either distribution).
Regards,Adam