Package: djvulibre-bin
Version: 3.5.25.4-4+b1
Tags: security

This is how djvudigital uses temporary files:

           djvutext="/tmp/dj$$.ps"
           trap "rm 2>/dev/null $djvutext" 0
           cat > $djvutext <<\EOF
(ps2utf8.ps) runlibfile currentglobal /setglobal load true setglobal
.ps2utf8 begin /onpage { } bind def /onfont { pop pop pop } bind def
/onmark { pop pop pop pop currentx currenty currentpoint
.djvutextmark } bind def end exec
EOF


This is insecure because the filename is predictable and, more importantly, the program doesn't fail atomically if the file already exists.

Please use mktemp(1) for creating temporary files.

--
Jakub Wilk


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to