Control: done -1 1.8.1+dfsg-1 On Wed, 26 Aug 2015 23:35:05 +0200 Thomas Lange <la...@informatik.uni-koeln.de> wrote: > > Package: vagrant > Version: 1.7.4+dfsg-1 > > vagrant uses hardcoded pathes containing /tmp in a lot of scripts. This > means files in a world-writables directory are created or removed. > > IMO, this is forbidden by the Debian policy, chapter 10.4. > > > This is mostly done in the provisioners and guest plugins, when doing > comm.sudo or machine.communicate.sudo. Even if those commands are > executed on the guest machine, vagrant can be called multiple times > for a client, thus a malicious program on the guest could create a > symlink in /tmp and then the vagrant call would overwrite a file where > this symlink is pointing to.
This has since been fixed in response to another bug, but I missed this bug here at the time.
signature.asc
Description: PGP signature
