Jonathan Nieder wrote:
> [1] The crux in bug #635849 is that if the user is allowed to
> influence TMPDIR or the template argument then the filename returned
> by tempfile and mktemp cannot be trusted not to contain shell
> metacharacters; but properly quoting all variables is already good
> policy
Hi,
Michael Gilbert wrote:
> debianutil's tempfile (and coreutil's mktemp as well) expose security
> issues when an attacker has control of the TMPFILE environment variable.
> I believe that support for this variable should be disabled. Note that
> scripts that expect to set the tmpfile director
package: debianutils
version: 4.0.2
severity: important
tags: security
Hi,
debianutil's tempfile (and coreutil's mktemp as well) expose security
issues when an attacker has control of the TMPFILE environment variable.
I believe that support for this variable should be disabled. Note that
scripts
3 matches
Mail list logo
