[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: flashplugin-nonfree get-upstream-version.pl security concern

Hello Moritz,

On Wed, Dec 12, 2012 at 07:02:08PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote:
> > I do not want to discuss security implications of the upstream closed
> > source Adobe Flash plugin. This is about how the Flash plugin is
> > downloaded and installed in Debian.
> >
> > /usr/sbin/update-flashplugin-nonfree downloads get-upstream-version.pl
> > http://people.debian.org/~bartm/flashplugin-nonfree/get-upstream-version.pl.gz.pgp
> > stores it in /tmp/xxx, runs it and deletes /tmp/xxx.
> 
> It should at least use a non-predictable tempfile (using tempfile(1) )
> 
> Please file bug for that.

I already use "mktemp -d /tmp/flashplugin-nonfree.XXXXXXXXXX".  Isn't that
secure ? What is the problem you are suggesting to file a bug for ?

Regards,

Bart Martens
Reply to: