Bug#741627: insecure temporary file usage in apt-extracttemplates

To: Steve Kemp <steve@steve.org.uk>, 741627@bugs.debian.org
Subject: Bug#741627: insecure temporary file usage in apt-extracttemplates
From: Michael Vogt <mvo@debian.org>
Date: Thu, 27 Mar 2014 10:20:56 +0100
Message-id: <[🔎] 20140327092056.GF11385@bod>
Reply-to: Michael Vogt <mvo@debian.org>, 741627@bugs.debian.org
In-reply-to: <[🔎] 20140314171005.GA30426@steve.org.uk>
References: <[🔎] 20140314171005.GA30426@steve.org.uk>

On Fri, Mar 14, 2014 at 05:10:05PM +0000, Steve Kemp wrote:
> Package: apt
> Version: 0.9.7.9+deb7u1
> Severity: important
> Tags: security

Thanks for your bugreport. 

[..]
> Anyway given that the generated file names are output to the console
> it feels like we should use mkstemp and do it properly, right?
[..]

I agree and changed the code to use mkstemp() now instead of using the
pid/static integer combination. Changing this means that the format of
the ouput changes slightly, the last field after the "." is fixed size
now and no longer contains only numbers. I don't expect this to cause
issues, but I will run it on my system first for a couple of days
(I also added a small integration test for this functionatlity).

Cheers,
 Michael

Reply to:

References:
- Bug#741627: insecure temporary file usage in apt-extracttemplates
  - From: Steve Kemp <steve@steve.org.uk>

Prev by Date: Bug#740551: documentation for APT::Periodic::MaxSize v.s. processing in apt.cron.daily
Next by Date: Bug#741867: apt: [INTL:it] Updated Italian translation of apt po4a docs
Previous by thread: Bug#741627: insecure temporary file usage in apt-extracttemplates
Next by thread: Bug#741685: libapt-*: 0.9.16 regression: files are closed twice
Index(es):
- Date
- Thread