Bug#231596: marked as done (trm: security: writes to file in /tmp and follows symlinks)

Sat, 19 May 2007 04:59:42 -0700 

Your message dated Sat, 19 May 2007 13:53:26 +0200
with message-id <[EMAIL PROTECTED]>
and subject line (pas de sujet)
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: trm
Version: 0.2.1-1
Severity: normal

When trm looks up a file at MusicBrainz it writes some html to
/tmp/lookp.html then calls mozilla to display it.

No checks are made to see if the file already exists, is not a symlink,
and is owned by the user running trm.

A local attacker can create a symlink in /tmp to a file owned by another
user.  That file will be overwritten if that user ever uses the lookup
feature of trm.

It would be much safer to write the file to ~/.trm/lookup.html

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux arthur 2.6.2 #1 Sat Feb 7 12:49:25 GMT 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages trm depends on:
ii  libc6                      2.3.2.ds1-10  GNU C Library: Shared libraries an
ii  libgcc1                    1:3.3.3-0pre1 GCC support library
ii  libid3-3.8.3               3.8.3-3       Library for manipulating ID3v1 and
ii  libmad0                    0.15.0b-3     MPEG audio decoder library
ii  libmusicbrainz2            2.0.2-7       Second generation incarnation of t
ii  libogg0                    1.1.0-1       Ogg Bitstream Library
ii  libstdc++5                 1:3.3.3-0pre1 The GNU Standard C++ Library v3
ii  libvorbis0a                1.0.1-1       The Vorbis General Audio Compressi
ii  libvorbisfile3             1.0.1-1       The Vorbis General Audio Compressi
ii  zlib1g                     1:1.2.1-3     compression library - runtime

-- no debconf information

--- End Message ---
--- Begin Message --- 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All theses softwares were given as example of libtunepimp use.
You SOULDN'T use them. Please consider switching to a real tagging
software like amarok or picard (in example).

libtunepimp-bin has been dropped since 0.5.3-1.

Regards, Adam.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGTuU2HNb/igTI5bsRAoQZAJ0eNnpMW0ClffRCvYh14y5hZMZCyQCglDQ4
624qI354/TEGZm1+BEmOhOk=
=6Z2o
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to