This was fixed in ubuntu-ui-toolkit (1.1.1188+14.10.20140813.4-0ubuntu1) by http://bazaar.launchpad.net/~ubuntu-sdk-team/ubuntu-ui-toolkit/staging/revision/1182
** Information type changed from Private Security to Public Security ** Changed in: ubuntu-ui-toolkit (Ubuntu Utopic) Status: Confirmed => Fix Released ** Changed in: ubuntu-ui-toolkit (Ubuntu Trusty) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-ui-toolkit in Ubuntu. https://bugs.launchpad.net/bugs/1348241 Title: StateSaver serializes potentially sensitive data under /tmp, doesn’t use O_EXCL Status in Ubuntu UI Toolkit: Fix Committed Status in “ubuntu-ui-toolkit” package in Ubuntu: Fix Released Status in “ubuntu-ui-toolkit” source package in Trusty: Confirmed Status in “ubuntu-ui-toolkit” source package in Utopic: Fix Released Bug description: This issue applies to desktop only, where StateSaver serializes data in files under /tmp. On devices, confined applications have their own TMPDIR, which makes it a non-issue, as far as I understand it. StateSaver uses QSettings under the hood to persist data on disk, which issues a plain QFile::open(QFile::ReadWrite) call to open the file, which does not set the O_EXCL flag. This makes it vulnerable to symlink attacks. Using QTemporaryFile would solve this issue, but it might not be easy to do with QSettings. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1348241/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp