Package: listadmin
Version: 2.40-4
Tags: security
listadmin creates temporary files in an insecure way:
# Use rand() to protect a little against tmpfile races
$dumpfile ||= "/tmp/dump-" . rand() . "-$list.html";
if (open(DUMP, ">$dumpfile")) {
chmod(0600, $dumpfile);
print DUMP $page;
close(DUMP);
$msg .= ", please send $dumpfile to $maintainer";
}
There are two problems here:
1) The code doesn't fail if a file with the same name already exists
(which is required by Policy ยง10.4).
2) Between the open() and chmod() calls, the file has default
permissions, so it might be possible for another local user to open it.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
