Package: inkscape Version: 0.41-5 Priority: normal Tags: patch security The inkscape ps2epsi extension shell script uses hardcoded tempfile definitions making it vulnerable to symlink attacks. The attached patch fixes this issue. For consistency, I've used the code already used by the dia2svg.sh extension.
Regards Javier PS: I'm not sure if using extensions is common to most users of Inkscape. If it is, please consider raising the priority of this bug.
--- inkscape-0.41/share/extensions/ps2epsi.sh 2005-08-05 23:32:47.000000000
+0200
+++ inkscape-0.41/share/extensions/ps2epsi.sh.orig 2005-08-05
23:30:55.000000000 +0200
@@ -1,7 +1,6 @@
#!/bin/sh
-TMPDIR="${TMPDIR-/tmp}"
-TEMPFILENAME=`mktemp -t 2>/dev/null || echo "$TMPDIR/tmpdiafile.svg"`
+TEMPFILENAME=/tmp/tmpepsifile.epsi
ps2epsi "$1" "${TEMPFILENAME}" &> /dev/null
cat ${TEMPFILENAME}
signature.asc
Description: Digital signature
