Bug#756565: lives: Numerous insecure temporary files used in smogrify

2016-09-25 Thread salsaman
All issues noted above have been fixed. In addition: - the terminology has been changed throughout to try to be less confusing. The directory is now referred to as the "LiVES working directory" everywhere. For example prefs->tmpdir is now prefs->workdir in the C code, and $tmpdir is now $workdir i

Bug#756565: lives: Numerous insecure temporary files used in smogrify

2016-09-23 Thread salsaman
On Thu, Sep 22, 2016 at 7:56 PM, James Cowgill wrote: > > Thinking about this some more, there is a slight race condition here if > the user deletes the file after the checks, but before it's written. I > think the best fix would break the smogrify API unfortunately. One > alternative is to use

Bug#756565: lives: Numerous insecure temporary files used in smogrify

2016-09-22 Thread James Cowgill
Hi, On 20/09/16 18:09, salsaman wrote: > As I mentioned already, the location of this directory is selected by > the user the first time that LiVES is run. > There is nothing forcing it to be ~/livestmp. That's fine, although I don't think it should be the default. > The directory being world wr

Bug#756565: lives: Numerous insecure temporary files used in smogrify

2016-09-20 Thread salsaman
On Tue, Sep 20, 2016 at 1:03 PM, James Cowgill wrote: > Hi, > > [please don't change the subject to 'bug update' - it makes it harder to > follow threads and is totally pointless] > > I wasnt aware I was changing the subject - it seems like one can only add comments to this bug by sending email a

Bug#756565: lives: Numerous insecure temporary files used in smogrify

2016-09-20 Thread James Cowgill
Hi, [please don't change the subject to 'bug update' - it makes it harder to follow threads and is totally pointless] On 20/09/16 15:51, salsaman wrote: > I would prefer to keep $tmpdir as it is, I dont see any reason to change > it to $XDG_CACHE_HOME as this variable is only used internally to >

Bug#756565: lives: Numerous insecure temporary files used in smogrify

2016-09-20 Thread James Cowgill
Hi, On 20/09/16 02:56, salsaman wrote: > first of all, I am the main developer of LiVES. Please cc the address > salsaman+li...@gmail.com to all > future bugs related to LiVES. You should go to https://tracker.debian.org/pkg/lives and press the Subscribe button

Bug#756565: lives: Numerous insecure temporary files used in smogrify

2014-07-30 Thread Steve Kemp
Package: lives Version: 1.6.2 Severity: important Tags: security lives contains a perl script, smogrify, which is what does a lot of the work. I don't want to point out line-by-line all the issues in the smogrify script, but please consider significantly overhauling it. There are numerous inse