Hello Jakub,
On Mon, Mar 25, 2019 at 11:15:59AM +0100, Jakub Wilk wrote:
> Hi Helge!
>
> * Helge Kreutzmann , 2019-03-23, 20:48:
> >+/* Create a secure private temporary directory */
> >+fifosdir = mkdtemp(FIFODIR "tvtimeXX");
>
> The mkdtemp(2) man page says: "Since it will be modifi
Hi Helge!
* Helge Kreutzmann , 2019-03-23, 20:48:
+/* Create a secure private temporary directory */
+fifosdir = mkdtemp(FIFODIR "tvtimeXX");
The mkdtemp(2) man page says: "Since it will be modified, template must
not be a string constant, but should be declared as a character arr
Package: tvtime
Version: 1.0.11-4
Severity: grave
Tags: security
tvtime uses /tmp/.TV-/ as a temporary directory, even when it
belongs to another (potentially malicious) user. Local attacker can
exploit this bug to execute arbitrary code in the context of a tvtime
user.
I've attached a proof
3 matches
Mail list logo