package: debianutils version: 4.0.2 severity: important tags: security Hi,
debianutil's tempfile (and coreutil's mktemp as well) expose security issues when an attacker has control of the TMPFILE environment variable. I believe that support for this variable should be disabled. Note that scripts that expect to set the tmpfile directory can use the "-d" option to obtain the same functionality. I suppose some users will want to retain control of this, but they'll just have to get used to finding temp files forced into /tmp. Ignoring the TMPFILE environment variable is also how the "secure" version of the C mktemp function (mkstemp) behaves. See bug #635849 for more info on a particular case where this has been observed as a real problem. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
