reopen 496360 severity 496360 important kthxbye On Mon, Aug 25, 2008 at 11:21:24 +0200, Romain Beauxis wrote:
> Hi ! > > Indeed, liguidsoap uses files under /tmp to write logs and dump audio data > during the live show. > > We don't consider this as a bug, but as feature (tm). This is broken. > Furthermore, this is known to the user, the name is predictible -- > "/tmp/liguidsoap.log" -- and run manually by the user, with no root > rights. > That makes symlink attacks against root impossible, but it still allows an attacker to overwrite any file owned by the user running liguidsoap. Please move the files out of /tmp. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]