Package: devscripts
Version: 2.10.41
Severity: normal
Tags: security
Hi
I don't know how exploitable tmp dirs with debsign's files are,
probably not much, but this could be avoided:
dosigning() {
# Do we have to download the changes file?
if [ -n "$remotehost" ]
then
cd ${TMPDIR:-/tmp}
if [ ! -d "debsign.$$" ]
then
mkdir debsign.$$ || { echo "$PROGNAME: Can't mkdir!" >&2; exit 1; }
fi
trap "cleanup_tmpdir" 0 1 2 3 7 10 13 15
cd debsign.$$
Please don't use $$, also I think it'd be best to setup the clean hook
before creating the dir.
Something like:
tmp_dir=""
cleanup() {
if [ -n "$tmp_dir" ]; then
rm -rf "$tmp_dir"
fi
}
trap "cleanup" 0 1 2 3 9 11 13 15
tmp_dir="$(mktemp -dt "debsign.XXXXXXXXXX")"
Cheers
--
Loïc Minier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
