Package: nodau Version: 0.3.1-1 Severity: important Tags: security upstream Control: forwarded -1 https://github.com/darkrose/nodau/issues/17
[opened in Debian to track the issue] nodau unsafely handles temporary files when using external editor, possibly allowing a malicious user to overwrite files or disclose information (but on recent kernels fs.protected_symlinks might need to be disabled). But in any case notes contents are leaked (depending on user umask, opening an existing note) in /tmp/nodau.$timestamp. Prerequisite for this to happen is that user sets either $EDITOR environment variable or external_editor setting in ~/.config/nodau/nodau.conf. Salvatore -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
