Package: fftw3-dev Version: 3.0.1-11 Priority: important Tags: security patch
While doing a review of usage of tempfiles in Debian I've found out that the fftw-wisdom-to-conf script uses temporary files in an unsafe way which could be used to conduct symlink attacks against any user running it. Attached is a patch that fixes this issue by introducing the use of mktemp. Regards Javier
--- fftw3-3.0.1/tools/fftw-wisdom-to-conf.in.orig 2005-08-06 10:34:10.000000000 +0200 +++ fftw3-3.0.1/tools/fftw-wisdom-to-conf.in 2005-08-06 10:34:53.000000000 +0200 @@ -57,7 +57,8 @@ extern void ${prefix}solvtab_exec(const struct solvtab_s s[], void *); EOF -tmp=/tmp/fftw-wisdom-to-conf$$ +tmp=`mktemp -t tempfile.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +trap " [ -f \"$tmp\" ] && /bin/rm -f -- \"$tmp\"" 0 1 2 3 13 15 sed 's/ *(//' | cut -d" " -f1 | grep -v -- - | egrep -v '^ *\)*$' > $tmp cat $tmp | sort | uniq | while read reg_nam; do @@ -73,3 +74,5 @@ echo " ${prefix}solvtab_exec(s, plnr);" echo "}" + +exit 0
signature.asc
Description: Digital signature