severity 352723 important
thanks
Julian Gilbey <[EMAIL PROTECTED]> writes:
> Line 1627 of /usr/bin/dpkg-sig reads:
>
> $DEBUG && (open (LOG, ">", "/tmp/dpkg-sig.log") || die _die("Couldn't
> open log: $!"));
>
> This is assuming that this file does not exist, is not a symlink and
> so on. This is a security hole and should be fixed by using a safe
> filename.This is a write-only file in a quite obscure way to run the program, which should only be used by its developers. This is by no means a grave bug, severity-inflation fixed. > Patch attached. As this patch changes random other stuff all over the place, I'm not willing to apply it. Either you provide something less invasive or wait for me to do this myself this or next week. > Other comments while I'm here: > (1) You don't need the & in front of sub names; they'll work quite > happily without it. I know that quite well, but this is a matter of personal coding style. > (2) -o for a remote ssh port number is a horrid choice: -o is normally > an output file; -P would be much better (matching scp, for example). -P was my first choice, but due to the limitations of the used Getopt::Long module (which is not able to see the difference between -p and -P) and the already existing "-p" short option for --cache-passphrase, something else needed to be chosen. As all other choices are equally bad, I used -o. Marc -- BOFH #370: Virus due to computers having unsafe sex.
pgpPaBeY0c3t4.pgp
Description: PGP signature
