Package: flamethrower Version: 0.1.8-1 Severity: important Tags: security Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for flamethrower. CVE-2008-5141[1]: > flamethrower in flamethrower 0.1.8 allows local users to overwrite > arbitrary files via a symlink attack on a /tmp/multicast.tar.##### > temporary file. Please note that a more careful inspection of the script reveals that even more insecure paths are used, not just the one mentioned in the CVE. Searching for /tmp and $tmp_dir and the other vars taking $tmp_dir as their value will reveal the rest. If you fix the vulnerability please also make sure to include the CVE id in the changelog entry. [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5141 http://security-tracker.debian.net/tracker/CVE-2008-5141 Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
