Hi! Thank you for this report, the issue has already been fixed upstream and IÄm waiting for a new bugfix release of PK, which will also solve some other issues, so we can include this in Wheezy. Cheers, Matthias
2012/6/19 Julien Cristau <jcris...@debian.org>: > Package: packagekit-backend-aptcc > Version: 0.7.4-4 > Severity: grave > Tags: security > Justification: user security hole > > /usr/share/PackageKit/helpers/aptcc/pkconffile uses a tempfile with a > fixed name in /tmp, which means anyone could create a > /tmp/pkconffile.templates symlink and have root trash the contents of > the linked file. You need to use mktemp (or File::Temp or however it's > called in perl). > > Cheers, > Julien > > -- System Information: > Debian Release: wheezy/sid > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, > 'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) > Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages packagekit-backend-aptcc depends on: > ii app-install-data 2010.11.17 > ii libapt-inst1.5 0.9.6 > ii libapt-pkg4.12 0.9.6 > ii libc6 2.13-33 > ii libgcc1 1:4.7.1-1 > ii libglib2.0-0 2.32.3-1 > ii libgstreamer0.10-0 0.10.36-1 > ii libstdc++6 4.7.1-1 > ii libxml2 2.8.0+dfsg1-4 > ii python 2.7.3~rc2-1 > ii python-packagekit 0.7.4-4 > > Versions of packages packagekit-backend-aptcc recommends: > ii apt-xapian-index 0.45 > ii packagekit 0.7.4-4 > > Versions of packages packagekit-backend-aptcc suggests: > ii gdebi-core 0.8.5 > > -- no debconf information > > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
