On Fri, Feb 10, 2012 at 4:35 PM, Javier Fernandez-Sanguino wrote: > If you (or the maintainer) review the code or analyse the program's > behaviour and it is using *fixed* (i.e. not random) filenames for the > temporary files or for the directories they are created in (/tmp or > /var/tmp), you might want to suggest the maintainer to review if the > code in charge of creating temporary files is doing this properly.
Should I find hard-coded uses of /tmp/, do you have any suggestions or tips about how to assess the security impact of these issues. Up to now I simply created symlinks as the nobody user from /tmp/foo to ~pabs/foo and checked if ~pabs/foo was overwritten. I wonder if there are any tools to automatically assess the impact of these issues by using LD_PRELOAD and or fs/user namespaces, are you aware of any of these? > I'm sure the situation has *not* improved since then. Based on a quick grep of /usr/bin/* I expect you are correct. I wonder if a pedantic/experimental lintian warning about hardcoding use of /tmp/ would be doable or helpful, any thoughts? -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6FPdwiHApZH7TOkMSC59Me=ExgZgHrYXQNT8VTcka==b...@mail.gmail.com
