Joost van der Sluis schreef: > Hi all, > > As the packager of Lazarus in Fedora, I get notifications if someone > files a bug in Fedora's bug-tracker. > > Now someone added a bug-report with a security issue: > https://bugzilla.redhat.com/show_bug.cgi?id=460642 > > And indeed, if someone add a symlink like 'ln -s /tmp/fpc_patchdir /etc' > and thereafter someone with root-permissions runs the > check_fpc_dependencies.sh script with th following code in it he won't > be happy: > > 89 TmpDir=/tmp/fpc_patchdir > 90 if [ "$WithTempDir" = "yes" ]; then > 91 if [ -d $TmpDir ]; then > 92 rm -rf $TmpDir/* > 93 rm -r $TmpDir > 94 fi >
Somebody reported the same (or similar) issues in the debian bug tracker. Maybe the best solution is not to package these scripts in rpm/debs, so that they don't enter the dangerous wild where people are running scripts with root permissions and add symlinks in the tmp directory. Vincent _______________________________________________ Lazarus mailing list Lazarus@lazarus.freepascal.org http://www.lazarus.freepascal.org/mailman/listinfo/lazarus