Source: lilypond Version: 2.18.2-2 Severity: grave Tags: security
This package's debian/rules sets HOME set to /tmp in debian/rules. But HOME is supposed to be writable only by trusted users, whereas /tmp is world-writable.
For example, python2.7 (which debian/rules indirectly runs) loads code from $HOME/.local/lib/python2.7/site-packages/.
-- Jakub Wilk -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
