Package: libmail-audit-perl
Version: 2.1-5
Severity: serious
Justification: Etch RC policy
The Mail::Audit module logs by default to
my $logfile = "/tmp/".getpwuid($>)."-audit.log";
if logging is turned on (the loglevel parameter to new()) and
no logfile is explicitly specified.
The module will follow any symlinks and append to the corresponding file:
if ($logging) { open LOG, ">>$logfile" or open LOG, ">>/dev/null";
This is RC according to the Etch release policy [1]:
(h) Temporary files
Any programs and scripts that create files in /tmp or other
world writable directories must use a mechanism which fails if
the file already exists.
An obvious workaround would be to log into eg. "$HOME/mail-audit.log".
(I'm not sure if this should be tagged "security" and fixed for sarge too,
so I'm leaving that for others to judge.)
[1] http://release.debian.org/etch_rc_policy.txt
Cheers,
--
Niko Tyni [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
