Hi Hamish! It seems that upstream fix for this issue is far from being ideal.
> TMP=`tempfile -d /tmp -p geo. -s .code` [...] > so calling this "fixed-upstream" and hoping that tempfile is somewhat > portable beyond Debian. Any particular reason for using Debian-specific tempfile, instead of generally available mktemp? Apart from the portability issues of the fix, the fix is not address the flaw properly as well. Even though TMP file (never used, IIRC) is created in a secure way, all other temporary files are not (STYLE, COORDS, OUTWAY, MAP for geo-code). So when TMP is created, local user can see its name and can create malicious symlinks TMP.style, .coords, .way, .gif before script will attempt to use them for the first time (or guess or brute-force TMP name in advance). You either have to create all temporary files using mktemp, or make TMP a temporary directory (or dot-directory in user's home dir and you do not have to care about creating it securely at all). There are still few other issues in geo-nearest, like: cp "$GEOWAY" /tmp/geocaching.loc and filter1="tee $TMP.page" filter2="tee $TMP.bulk" See following bugs for the patch that is in preparation for Fedora packages: https://bugzilla.redhat.com/show_bug.cgi?id=470241 https://bugzilla.redhat.com/show_bug.cgi?id=475478 -- Tomas Hoger _______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
