Package: slic3r Version: 1.2.9+dfsg-6 Severity: important Tags: security Hi,
When onfigured with octoprint, the function "send to printer" creates first /tmp/<model-name>.gcode and then uploads this file to octoprint, which makes the name somwhow predictable, opening a race with a quite wide window of opportunity to upload a different file to the octoprint server. If we predict the filename and make a symlink with that name, slic3r also follows the symlink. -- tobi -- System Information: Debian Release: 9.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages slic3r depends on: ii libboost-geometry-utils-perl 0.15-2+b4 ii libc6 2.24-10 ii libencode-locale-perl 1.05-1 ii libgcc1 1:6.3.0-14 ii libio-stringy-perl 2.111-2 ii libmath-convexhull-monotonechain-perl 0.1-1+b4 ii libmath-geometry-voronoi-perl 1.3-2+b4 ii libmath-planepath-perl 123-1 ii libmoo-perl 2.002005-1 ii libperl5.24 [libtime-hires-perl] 5.24.1-2 ii libstdc++6 6.3.0-14 pn libstorable-perl <none> pn perl:any <none> Versions of packages slic3r recommends: ii libclass-xsaccessor-perl 1.19-2+b7 ii libio-all-perl 0.86-2 ii libopengl-perl 0.6704+dfsg-2+b2 ii libpdf-api2-perl 2.030-1 ii libsvg-perl 2.64-1 ii libwx-glcanvas-perl 0.09-3+b4 ii libwx-perl 1:0.9928-1+b1 ii libxml-sax-expatxs-perl 1.33-2+b2 slic3r suggests no packages. -- no debconf information _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
