On Thu, Oct 02, 2014 at 06:29:45PM +0200, Guillem Jover wrote: > Package: apt > Version: 0.8.7 > Severity: serious > Tags: security patch
Thanks for your bugreport and your patch! > I've found an instance of insecure temporary filenames handling. The > problem is that the code correctly creates a temporary directory, but > then uses that name as just a prefix for the created changelog > filename, thus creating it alongside the tamporary directory (instead > of inside of it), and making it very much predictable. This is worsened > due to the time it takes apt-get to download the changelog from the net, > which gives a very huge window to use that pathname. > > Attached a patch fixing this. This affects all versions starting from > the one in squeeze. > > I'm not sure if this deserves a CVE or perhaps a lower severity? [..] I uploaded a fix for wheezy now, squeeze is not affected, this feature got added in 0.8.11 in debian so we should be safe here. Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
