Package: a2ps
Version: 1:4.14-1.1
Severity: important
Tags: security
src/main.c contains this code:
/* Use one of the temp file names so that cleanup can be correctly
done. */
tempname_ensure (job->tmp_filenames[0]);
spyname = job->tmp_filenames[0];
spy = fopen (spyname, "w");
tempname_ensure() is defined in lib/routines.h as:
#define tempname_ensure(Str) \
do { \
(Str) = (Str) ? (Str) : tempnam (NULL, "a2_"); \
} while (0)
From the tempnam(3) manpage: “Although tempnam() generates names that
are difficult to guess, it is nevertheless possible that between the
time that tempnam() returns a pathname, and the time that the program
opens it, another program might create that pathname using open(2), or
create it as a symbolic link. This can lead to security holes. To avoid
such possibilities, use the open(2) O_EXCL flag to open the pathname. Or
better yet, use mkstemp(3) or tmpfile(3).”
(There are other calls to tempname_ensure() in the a2ps code, but I
haven't checked them.)
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
