Package: jumpnbump Version: 1.50-6 Severity: grave Tags: security Justification: user security hole
Hi, jumpnbump uses files in the /tmp directory in an unsafe manner: * jumpnbump-menu calls `convert' on files in /tmp, this allows another user to overwrite arbitrary files via symlinks. The patch for #500340 should solve this. * jumpnbump-menu calls `jumpnbump-unpack' in /tmp, same problem (this only affects the version in Etch, the version in Lenny is broken) The patch above addresses this as well. * in sdl/sound.c:509, the file "/tmp/jnb.tmpmusic.mod" is opened for writing * jumpnbump-unpack should not follow symlinks when overwriting files (makes it at least more safe if called in /tmp) I think the last point is not as critical as the others, as the user will have to start jumpnbump-unpack in a directory writable by others. Regards, Ansgar _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
