Hi, Grepping the source code reveals other insecure usages of temp files:
./scripts/cvs-debrelease.sh-# rootdir workdir (if all original sources are kept in one dir) ./scripts/cvs-debrelease.sh- ./scripts/cvs-debrelease.sh:TEMPDIR=/tmp/$$ ./scripts/cvs-debrelease.sh-mkdir $TEMPDIR || exit 1 ./scripts/cvs-debrelease.sh-TEMPFILE=$TEMPDIR/cl-tmp ./scripts/cvs-debrelease.sh-trap "rm -f $TEMPFILE; rmdir $TEMPDIR" 0 1 2 3 7 10 13 15 ./scripts/cvs-debi.sh-# rootdir workdir (if all original sources are kept in one dir) ./scripts/cvs-debi.sh- ./scripts/cvs-debi.sh:TEMPDIR=/tmp/$$ ./scripts/cvs-debi.sh-mkdir $TEMPDIR || exit 1 ./scripts/cvs-debi.sh-TEMPFILE=$TEMPDIR/cl-tmp ./scripts/cvs-debi.sh-trap "rm -f $TEMPFILE; rmdir $TEMPDIR" 0 1 2 3 7 10 13 15 Btw, is there any reason why scripts/libvfork.c even exists? Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
