Package: syncevolution
Version: 1.0+ds1~beta2a-2
Severity: important
Tags: security

Dear Maintainer,

Your package contains a funny tmp file vulnerability.

$ grep 'mktemp`\.' -r .
./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx
./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o
$

Both of them are doing it wrong. They create a secure tempfile, but don't
use it and instead generate a (now) predictable(!) name without opening
it in a safe (O_CREAT) way.

Helmut


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to