Re: flashplugin-nonfree get-upstream-version.pl security concern

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: debian-security@lists.debian.org, bartm@debian.org, security@debian.org
Subject: Re: flashplugin-nonfree get-upstream-version.pl security concern
From: adrelanos <adrelanos@riseup.net>
Date: Wed, 12 Dec 2012 18:19:39 +0000
Message-id: <[🔎] 50C8CABB.4040504@riseup.net>
In-reply-to: <[🔎] 20121212180207.GA9446@pisco.westfalen.local>
References: <[🔎] 50C8C45F.1050404@riseup.net> <[🔎] 20121212180207.GA9446@pisco.westfalen.local>

Moritz Mühlenhoff:
> On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote:
>> Hi,
>>
>> I do not want to discuss security implications of the upstream closed
>> source Adobe Flash plugin. This is about how the Flash plugin is
>> downloaded and installed in Debian.
>>
>> /usr/sbin/update-flashplugin-nonfree downloads get-upstream-version.pl
>> http://people.debian.org/~bartm/flashplugin-nonfree/get-upstream-version.pl.gz.pgp
>> stores it in /tmp/xxx, runs it and deletes /tmp/xxx.
> 
> It should at least use a non-predictable tempfile (using tempfile(1) )
> 
> Please file bug for that.

It's non-predictable. Sorry, I didn't mention it doesn't use /tmp/xxx.
xxx was supposed to be a variable, i.e. always changing.

Reply to:

References:
- flashplugin-nonfree get-upstream-version.pl security concern
  - From: adrelanos <adrelanos@riseup.net>
- Re: flashplugin-nonfree get-upstream-version.pl security concern
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Previous by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Index(es):
- Date
- Thread