Source: lilypond Version: 2.18.2-2 Severity: grave Tags: security
This package's debian/rules sets HOME set to /tmp in debian/rules. But HOME is supposed to be writable only by trusted users, whereas /tmp is world-writable.
For example, python2.7 (which debian/rules indirectly runs) loads code from $HOME/.local/lib/python2.7/site-packages/.
-- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org