Bug#1105210: marked as done (auctex: 'update-auctex-elisp.eperl' creates a tmpfile in the root of filesystem in a dangerous way with $(mktemp ./XXXXXXXX-el))

Debian Bug Tracking System Sun, 15 Jun 2025 03:07:15 -0700

Your message dated Sun, 15 Jun 2025 10:04:22 +0000
with message-id <[email protected]>
and subject line Bug#1105210: fixed in auctex 13.2-1.1
has caused the Debian Bug report #1105210,
regarding auctex: 'update-auctex-elisp.eperl' creates a tmpfile in the root of 
filesystem in a dangerous way with $(mktemp ./XXXXXXXX-el)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1105210: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105210
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: auctex
Version: 13.2-1
Severity: serious
Justification: Policy 10.4, 9.1.1
X-Debbugs-Cc: [email protected]

Dear Maintainer,

Auctex script 'update-auctex-elisp.eperl' creates a tmpfile in the
root of the filesystem in a potentially dangerous way with
$(mktemp ./XXXXXXXX-el).

This temporary file also stays on the filesystem and
is not removed.

I noticed this after switching to testing: sometimes
after "apt upgrade" a UID=0 owned file with a random
name was created in the "/" directory, with the content
"(defun font-lock-fontify-syntactic-keywords-region (start
end))".

People in "#debin-next" helped me to find the source of
this problem. They also recommended to mark this bug as "serious".

Thanks, @cb and @petn-randall!

-- System Information:

Debian Release: trixie/sid
  APT prefers testing
  APT policy: (700, 'testing'), (500, 'oldstable-security'), (500, 'stable'), 
(500, 'oldstable'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.27-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages auctex depends on:
ii  debconf [debconf-2.0]  1.5.91
ii  emacs-gtk [emacs]      1:30.1+1-5
ii  emacsen-common         3.0.7
ii  preview-latex-style    13.2-1
ii  procps                 2:4.0.4-8

Versions of packages auctex recommends:
ii  ghostscript                10.05.0~dfsg-1
ii  texlive-latex-recommended  2024.20250309-1
ii  xpdf                       3.04+git20250304-1+b1

Versions of packages auctex suggests:
pn  catdvi   <none>
pn  dvipng   <none>
pn  lacheck  <none>

-- debconf information:
  auctex/doauto: Background

--- End Message ---

--- Begin Message ---

Source: auctex
Source-Version: 13.2-1.1
Done: David Bremner <[email protected]>

We believe that the bug you reported is fixed in the latest version of
auctex, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Bremner <[email protected]> (supplier of updated auctex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 13 Jun 2025 07:26:53 -0300
Source: auctex
Architecture: source
Version: 13.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Davide G. M. Salvetti <[email protected]>
Changed-By: David Bremner <[email protected]>
Closes: 1105210
Changes:
 auctex (13.2-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Replace used of "mktemp ./XXXXXX-el" with "mktemp --tmpdir
     XXXXXX-el" (Closes: #1105210).
Checksums-Sha1:
 136b0d71d0ed824574e0411d34cb6863c3504eae 1566 auctex_13.2-1.1.dsc
 be803d48417121d3e0dbfcd563c59687fc8eafe2 58904 auctex_13.2-1.1.debian.tar.xz
Checksums-Sha256:
 cdc0edd366d1989eaef7b24d344ac18d89489c797a0a34eda71affbf56625809 1566 
auctex_13.2-1.1.dsc
 9bbad547fde1a1ec63996f667000018d351847d3ede118697340f4ff4cc55ac0 58904 
auctex_13.2-1.1.debian.tar.xz
Files:
 d5501977738f5b6da491aec4362e2eee 1566 tex optional auctex_13.2-1.1.dsc
 3789203fac15cad2cba4e525ac3842c0 58904 tex optional 
auctex_13.2-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQS5beC2erx2PFqyC7XhcL+0NDTnAAUCaE1DjQAKCRDhcL+0NDTn
AOmWAQCUY/GBkoWZqj7lEEL9Y0+o3Rzzf3LLpzI9hK27jChJhwEAs++L9vuwpWJI
10S84Dy2msCSVWHMCdWW6hFFZhncLQc=
=1K/7
-----END PGP SIGNATURE-----

pgpjME9h8rY5n.pgp
Description: PGP signature

--- End Message ---

Bug#1105210: marked as done (auctex: 'update-auctex-elisp.eperl' creates a tmpfile in the root of filesystem in a dangerous way with $(mktemp ./XXXXXXXX-el))

Reply via email to