Package: netenv
Version: 0.94.3-30
Tags: security
postinst does this:
if [ -f /var/tmp/netenv_upgrade_restored-symlinks ]; then
# if there were stale links, this means there should be links. We configure
# with the link method
config_current_onboard
fi
with the assumption that the file was created by the config script. But
/var/tmp is world-writable, so the file could have been created by any
(malicious) local user.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
