Hi Mark, thanks for the offer! However, I don't think a CVE is warranted because I don't agree that this is a security issue:
1. The temporary directory is created with permissions that only allow the user to read its contents. If a predictable filename is considered a security issue, then any application that uses fixed FHS-based directories in the user's home directory to store configuration data, including tokens and passwords, is vulnerable. 2. The DoS argument is equally far-fetched. How about creating a large file in the user's home directory until the entire disk is filled? Is that a DoS attack? Well, I'm afraid 99% of systems are vulnerable. In general, I have a strong dislike for labeling arbitrary problems as security issues because you don't like the problem and hope it will get fixed faster if it's "security" related. This devalues the concept of security issues and creates noise in which problems of much higher severity can drown. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/129133 Title: mc uses predictable temp directory path To manage notifications about this bug go to: https://bugs.launchpad.net/mc/+bug/129133/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
