Bug#340079: insecure tempfiles

2005-12-19 Thread Steve Langasek
On Mon, Dec 19, 2005 at 04:01:32PM +0100, Bill Allombert wrote: > On Sun, Nov 20, 2005 at 03:01:58PM -0800, Steve Langasek wrote: > > On Sun, Nov 20, 2005 at 10:13:00PM +0100, Bill Allombert wrote: > > > However I am not sure this is a security bug: > > > The original script create a file named tem

Bug#340079: insecure tempfiles

2005-12-19 Thread Bill Allombert
On Sun, Nov 20, 2005 at 03:01:58PM -0800, Steve Langasek wrote: > On Sun, Nov 20, 2005 at 10:13:00PM +0100, Bill Allombert wrote: > > However I am not sure this is a security bug: > > The original script create a file named tempfile in the current > > directory, not int /tmp. > > > Would you consi

Bug#340079: insecure tempfiles

2005-11-20 Thread Steve Langasek
On Sun, Nov 20, 2005 at 10:13:00PM +0100, Bill Allombert wrote: > However I am not sure this is a security bug: > The original script create a file named tempfile in the current > directory, not int /tmp. > Would you consider this script to have a security hole? > #!/bin/sh > cat "$1" > tempfile >

Bug#340079: insecure tempfiles

2005-11-20 Thread Bill Allombert
On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: > Package: libjpeg-progs > Version: 6b-10 > Severity: grave > File: /usr/bin/exifautotran > Tags: security patch > > Hello, > > exifautotran just uses a file named "tempfile" for temporarly saving > the result of jpegtran. Note that

Bug#340079: insecure tempfiles

2005-11-20 Thread Uwe Zeisberger
Steve Kemp wrote: > On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: > The patch is .. missing. Uuups, sorry, here it comes... Best regards, Uwe -- Uwe Zeisberger alert("This is a virus for Outlook") --- /usr/bin/exifautotran 2005-03-02 13:26:24.0 +0100 +++ /usr/b

Bug#340079: insecure tempfiles

2005-11-20 Thread Bill Allombert
On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: > Package: libjpeg-progs > Version: 6b-10 > Severity: grave > File: /usr/bin/exifautotran > Tags: security patch > > Hello, > > exifautotran just uses a file named "tempfile" for temporarly saving > the result of jpegtran. > > With

Bug#340079: insecure tempfiles

2005-11-20 Thread Steve Kemp
On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: > Tags: security patch > With the attached patch applied, it uses mktemp for their creation. The patch is .. missing. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [

Bug#340079: insecure tempfiles

2005-11-20 Thread Uwe Zeisberger
Package: libjpeg-progs Version: 6b-10 Severity: grave File: /usr/bin/exifautotran Tags: security patch Hello, exifautotran just uses a file named "tempfile" for temporarly saving the result of jpegtran. With the attached patch applied, it uses mktemp for their creation. Best regards Uwe -- Sys