> Here is a patch applied in Ubuntu fixing a bug reported there: I'm afraid that this patch is not correct, it actually introduces a security bug:
> # TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set. > -tmpdir = /var/run/oinkmaster > +tmpdir = /tmp /tmp should never be used as the oinkmaster use of temporary files is not audited. If running oinkmaster as root (which you need to do to update the Snort ruleset) a user in the system could launch a race condition attack by creating the same file that oinkmaster will use to write its temporary files. Don't forget that /tmp (unlink /var/run/oinkmaster) is writable by *any* user. I will review what other options we have (to avoid using /var/run) but using /tmp is not an option. Regards Javier -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
