I don't understand how these bugs can be exploited. Both programs contain code like this:
set -e tmpdir=/tmp/$program.$$ trap "/bin/rm -rf $tmpdir" 0 1 2 3 13 15 mkdir $tmpdir Since the script is set -e, the mkdir will make it exit if $tmpdir already exists. It's true that it might rm -rf some other program's $tmpdir on exit, but since the directory is in /tmp, it's unlikely that this will delete anything important, or even anything that does not belong to the person running the program. And rm doesn't follow sylinks, so an attacker cannot even use a symlink attack to make it remove some other directory. -- see shy jo
signature.asc
Description: Digital signature
