Hi John

> Steffen,
>
> I went to the URLs in this bug report, and nothing even indicated
> where in the source the problem was.  I see no indication that
> upstream is even aware of this problem.  The CVE status, in fact, is
> "under review" and I'm not certain that this is really an issue.
>
> Can you help me figure this one out please?  Where's the problem and
> what's the suggested fix?
Well, the problem actually exists in the example script, for instance when it 
writes to /tmp/mtxloaded or /tmp/mtx.$$ (which is also not completely 
secure). The best way would be to use mktemp. The issue is not really severe, 
since it is only an example script. However, when I searched through the code 
just now, I got a few hits on "/tmp". I got a lot working_directory 
= "/tmp";. Could you please check that they are all using mkstemp or 
something, when they write to files/directories under /tmp?
Thanks for your work.

Cheers
Steffen

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to