Source: crossroads Version: 2.81-2 Severity: serious Tags: security crossroads's xr/Makefile has:
| $(BINDIR)/xr: $(BIN) | cp $(BIN) $(TMPXR) | install $(TMPXR) $(BINDIR)/xr | rm -f $(TMPXR) where | TMPXR = /tmp/xr-$(shell whoami) Jakub Wilk observed that a malicious user could create /tmp/xr-root as a directory with mode 777 and replace the directory with an arbitrary file after the cp (via inotify) thus injecting an arbitrary binary into the build. Helmut