Hi John > Steffen, > > I went to the URLs in this bug report, and nothing even indicated > where in the source the problem was. I see no indication that > upstream is even aware of this problem. The CVE status, in fact, is > "under review" and I'm not certain that this is really an issue. > > Can you help me figure this one out please? Where's the problem and > what's the suggested fix? Well, the problem actually exists in the example script, for instance when it writes to /tmp/mtxloaded or /tmp/mtx.$$ (which is also not completely secure). The best way would be to use mktemp. The issue is not really severe, since it is only an example script. However, when I searched through the code just now, I got a few hits on "/tmp". I got a lot working_directory = "/tmp";. Could you please check that they are all using mkstemp or something, when they write to files/directories under /tmp? Thanks for your work.
Cheers Steffen
signature.asc
Description: This is a digitally signed message part.

