Package: lio-utils Version: 3.1+git0.91b96103-2 Severity: normal Tags: patch security
/etc/init.d/target contains the following code: | ######################################################################### | # Allows saving command & arguments into a file for subsequent debugging | # Enable: Set DEBUG=1 Disable: Set DEBUG=0 | | DEBUG=0 | LOGFILE=/tmp/tgtctl.dbug | | if [ $DEBUG ]; then | echo "$0 $*" >> $LOGFILE | fi | ######################################################################### The test on the debug is wrong, so the test is always valid. This causes DEBUG to be enabled by default, and given the filename is fixed and the file located in /tmp, it can be use for a symlink attack. The test should be replaced by: | if [ $DEBUG != 0 ]; then -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
