2008/11/10 Thomas Schweitzer <[EMAIL PROTECTED]>: > Hello Adeodato, hello Eddy, > > I've some comments to the mentioned bugs. > > Adeodato Simó wrote: >> >> * Eddy Petrișor [Fri, 07 Nov 2008 14:10:41 +0200]: >> >>> Hello, >> >>> The package universalindentgui is currently in RFA state and has a bug >>> that prevents its usage by default. >> >>> The program relies on a temporary location which should be, in theory, >>> a directory "$TMPDIR/UniversalIndentGUI", but the code fails to add a >>> '/' after "$TMPDIR", thus trying to create a directory >>> "/tmpUniversalIndentGUI", which, of course fails. > > This is bug#486577 and it is already fixed in version 1.0.2 by commit 868 > (http://universalindent.svn.sourceforge.net/viewvc/universalindent?view=rev&revision=868).
404 >>> I prepared an NMU for the package which is available from the BR or from: >> >>> >>> http://users.alioth.debian.org/~eddyp-guest/upload/universalindentgui-0.8.1-1.1/ >> >>> ( dget >>> http://users.alioth.debian.org/~eddyp-guest/upload/universalindentgui-0.8.1-1.1/universalindentgui_0.8.1-1.1.dsc >>> ) >> >> Hello Eddy, Thomas sent you a copy of #504726, did you get to see that >> message? Incidentally, upstream of this pacakge has said in the RFA bug >> (#483068) that he's interested on adopting this pacakge; I've asked him >> if he has a fix for #504726, though I forgot to tell him we need it >> fast (BCCed now). > > Concerning bug#504726 I am not sure what's the problem with that? Why is > there a risk to create a static (where static only means that the name will > never change) subdir for temporary data? When a certain file in that directory is opened, let's say "universalindentguimain.cpp", at least one temp file with a predetermined filename (e.g.: /tmp/UniversalIndentGui/universalindentguimain.cpp) is created. A malicious user could run the following commands: mkdir /tmp/UniversalIndentGui ln -s /home/thomas/some_precious_file_of_yours /tmp/UniversalIndentGui/universalindentguimain.cpp then it will wait for you to open that file for indentation and watch you destroy your "some_precious_file_of_yours"[1]. Having a randomized name for the directory (mkdtemp - stdlib.h) makes the problem go away. Also, having random names for the temporary files could solve the problem, too. > Thanks to both of you for helping me getting the package forward! No problem. [1] If that file is the recording of your wedding, you can imagine the damage -- Regards, EddyP ============================================= "Imagination is more important than knowledge" A.Einstein
