*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
/usr/bin/getweb is vulnerable to "Insecure temporary file creation". [0] While I don't know if anyone uses the getweb command. The script makes a temporary directory in /tmp called foo2zjs it then may download (depending on user input) one or more gzip and extract them in /tmp/foo2zjs. However, the script does not check if the folder already exists / the return code of mkdir - so the script could possibly result in the over-writing of files or simply extra junk placed in $random places on the file-system. [0] - http://cwe.mitre.org/data/definitions/377.html [1] line 488 " mkdir -p /tmp/foo2zjs cd /tmp/foo2zjs " ** Affects: foo2zjs (Ubuntu) Importance: Undecided Status: New -- /usr/bin/getweb is vulnerable to "Insecure temporary file creation" weaknesses https://bugs.launchpad.net/bugs/805370 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
