Summary (full details in URL) Each user has his own profile which can be personalized with a picture. When a user adds a picture for his profile, Skype creates in /tmp directory a file named "skype_profile.jpg" in an insecure manner, without checking if the file already exists and if it's a symbolic link.
net-im please advise.
Well. I really dont know how this can be handled. Right now skype in gentoo is started via a wrapper script, maybe changing the script so that it will: 1-try to remove the file in /tmp 1.1-if it fails exit with error 2-create the file with correct permissions 3-Continue with normal startup Any ideas if this is ok?
Gustavo we could also wait a bit to see wether upstream releases a fix.
It seems this is fixed in 1.2.0.11 (bug #100611). See the changelog: bugfix: profile image file in /tmp not checked properly (thanks to Giovanni Delvecchio for reporting)
net-im please bump.
Bumped in portage.
Thx Karol.