On 10/02/2012, Paul Wise <p...@debian.org> wrote: > On Sun, Feb 5, 2012 at 10:51 AM, Paul Wise wrote: > >> If I notice that software in Debian is ignoring TMP/TMPDIR (since I use >> libpam-tmpdir), what severity should I file the resulting bugs at? > > I'll file them at wishlist as suggested by the second mail in this thread.
If you (or the maintainer) review the code or analyse the program's behaviour and it is using *fixed* (i.e. not random) filenames for the temporary files or for the directories they are created in (/tmp or /var/tmp), you might want to suggest the maintainer to review if the code in charge of creating temporary files is doing this properly. When in 2004-2006 I reviewed [1] programs in the archive using temporary files in fixed locations (i.e. /tmp and /var/tmp) I found a number of security vulnerabilities which were all instances of this categories: - CWE-377: Insecure Temporary File - http://cwe.mitre.org/data/definitions/377.html - CWE-379: Creation of Temporary File in Directory with Incorrect Permissions -http://cwe.mitre.org/data/definitions/379.html - CWE-378: Creation of Temporary File With Insecure Permissions - http://cwe.mitre.org/data/definitions/378.html I'm sure the situation has *not* improved since then. Best regards Javier [1] Acting as member of Debian Security Audit Team [1]. A full list of advisories at http://www.debian.org/security/audit/advisories -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cab9b7usje98ym875bpa9kfbbuf67wpdhj48-wszirvo-ssj...@mail.gmail.com
