subject:"Bug#924076\: tvtime\: insecure use of \/tmp"

Bug#924076: tvtime: insecure use of /tmp

2019-03-26 Thread Helge Kreutzmann

Hello Jakub, On Mon, Mar 25, 2019 at 11:15:59AM +0100, Jakub Wilk wrote: > Hi Helge! > > * Helge Kreutzmann , 2019-03-23, 20:48: > >+/* Create a secure private temporary directory */ > >+fifosdir = mkdtemp(FIFODIR "tvtimeXX"); > > The mkdtemp(2) man page says: "Since it will be

Bug#924076: tvtime: insecure use of /tmp

2019-03-25 Thread Jakub Wilk

Hi Helge! * Helge Kreutzmann , 2019-03-23, 20:48: +/* Create a secure private temporary directory */ +fifosdir = mkdtemp(FIFODIR "tvtimeXX"); The mkdtemp(2) man page says: "Since it will be modified, template must not be a string constant, but should be declared as a character

Bug#924076: tvtime: insecure use of /tmp

2019-03-09 Thread Jakub Wilk

Package: tvtime Version: 1.0.11-4 Severity: grave Tags: security tvtime uses /tmp/.TV-/ as a temporary directory, even when it belongs to another (potentially malicious) user. Local attacker can exploit this bug to execute arbitrary code in the context of a tvtime user. I've attached a