Package: gummi Version: 0.6.5-3 Severity: normal I opened a file called thesis.tex in gummi, this created the following files in /tmp:
-rw-r--r-- 1 jak jak 3196 Jul 29 21:39 .thesis.tex.aux -rw-r--r-- 1 jak jak 42672 Jul 29 21:39 .thesis.tex.log -rw-r--r-- 1 jak jak 559 Jul 29 21:39 .thesis.tex.out -rw-r--r-- 1 jak jak 266755 Jul 29 21:39 .thesis.tex.pdf -rw-r--r-- 1 jak jak 885 Jul 29 21:39 .thesis.tex.toc Obviously, this has serious implications for multi-user systems, because two users editing a file with the same name would write to the same files in /tmp. I'm not sure if there are security implications here if you create symbol links using those names that an attacker could use to overwrite files in /home (potentially deleting valuable user information) -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (980, 'unstable'), (500, 'unstable'), (100, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gummi depends on: ii libc6 2.19-7 ii libcairo2 1.12.16-2 ii libgdk-pixbuf2.0-0 2.30.7-1 ii libglib2.0-0 2.40.0-3 ii libgtk2.0-0 2.24.24-1 ii libgtksourceview2.0-0 2.10.5-1 ii libgtkspell0 2.0.16-1 ii libpango-1.0-0 1.36.3-1 ii libpoppler-glib8 0.26.3-1 ii zlib1g 1:1.2.8.dfsg-1 Versions of packages gummi recommends: ii texlive-extra-utils 2014.20140717-1 ii texlive-latex-base 2014.20140717-01 ii texlive-xetex 2014.20140717-01 gummi suggests no packages. -- no debconf information -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/. Be friendly, do not top-post, and follow RFC 1855 "Netiquette". - If you don't I might ignore you. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
