On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote: > Package: devscripts > Version: 2.10.41 > Severity: serious > Tags: patch security > Justification: Vulnerable to symlink attacks (unless I'm mistaken). [...] > but your usage of mktemp is bogus, since .$2 is appended to the X's. The > attached patch fixes this (I used local set -x/+x to check the filenames).
Ugh. One possibly mitigating factor is that the broken call is only used if the caller can't write to the directory containing the package, although that will be the case in e.g. default pbuilder setups. Fixed, thanks; will upload shortly. [...] > Since the filename is predictable, I guess debsign is vulnerable to symlink > attacks and the like (although I'm no security crack, etc., sorry if I'm > overthinking the consequences of this bug). I'm not 100% sure myself, to be honest. Security team? This particular mktemp call was introduced in devscripts 2.10.31, which means it exists in lenny (as do the issues raised in #507482, although that's currently marked "important"). Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
