Ansgar Burchardt
2008-Sep-29 18:10 UTC
[Secure-testing-team] Bug#500611: jumpnbump: insecure use of /tmp
Package: jumpnbump Version: 1.50-6 Severity: grave Tags: security Justification: user security hole Hi, jumpnbump uses files in the /tmp directory in an unsafe manner: * jumpnbump-menu calls `convert'' on files in /tmp, this allows another user to overwrite arbitrary files via symlinks. The patch for #500340 should solve this. * jumpnbump-menu calls `jumpnbump-unpack'' in /tmp, same problem (this only affects the version in Etch, the version in Lenny is broken) The patch above addresses this as well. * in sdl/sound.c:509, the file "/tmp/jnb.tmpmusic.mod" is opened for writing * jumpnbump-unpack should not follow symlinks when overwriting files (makes it at least more safe if called in /tmp) I think the last point is not as critical as the others, as the user will have to start jumpnbump-unpack in a directory writable by others. Regards, Ansgar