Package: syncevolution Version: 1.0+ds1~beta2a-2 Severity: important Tags: security
Dear Maintainer, Your package contains a funny tmp file vulnerability. $ grep 'mktemp`\.' -r . ./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx ./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o $ Both of them are doing it wrong. They create a secure tempfile, but don't use it and instead generate a (now) predictable(!) name without opening it in a safe (O_CREAT) way. Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
