from USN-243-1: Javier Fern
from USN-243-1: Javier Fernández-Sanguino Peña discovered that the tuxpaint-import.sh script created a temporary file in an insecure way. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running tuxpaint. http://security.ubuntu.com/ubuntu/pool/main/t/tuxpaint/tuxpaint_0.9.14-2ubuntu0.1.diff.gz
I took a look at this patch and it has a lot of stuff we don't need/want. We obviously don't care for stuff in the debian/ folder, but we should be aware of the way they are hardcoding defines in tuxpaint.c ("Debian's build dependencies guarantee all headers have been included"). The changes to the Makefile are simply cosmetic, too. My two cents: apply only what is relevant to this bug. --- tuxpaint-0.9.14.orig/src/tuxpaint-import.sh +++ tuxpaint-0.9.14/src/tuxpaint-import.sh @@ -12,8 +12,8 @@ # September 21, 2002 - June 17, 2003 -TMPDIR=/tmp -SAVEDIR=$HOME/.tuxpaint/saved +SAVEDIR="$HOME/.tuxpaint/saved" +TMPDIR="$SAVEDIR"
Graphics please provide an updated ebuild.
This patch is already in 0.9.15b's sources (first thing I should have checked, doh). It is just a matter of keywording.
Arches please test and mark stable.
x86 done - and i have drawn a nice picture full of wonderful graphical effects :) The tuxpaint-import script doesn't work here at all, though, but it didn't work here in 0.9.14 either, so it doesn't stop .15b from going stable.
(In reply to comment #5) > The tuxpaint-import script doesn't work here at all, though, but it didn't work > here in 0.9.14 either, so it doesn't stop .15b from going stable. > I found out that it works nicely with media-libs/netpbm-10.31-r1, which is currently unstable for all arches (except m68k, ppc-macos and s390). I have opened bug #119357 for this.
ppc stable
amd64 stable
Not sure this is worth a GLSA but otoh I never use tuxpaint.
Using malicious symbolic links against children using tuxpaint is evil. It's not the kind of software you use on multiuser systems, so I tend to vote no.
No from me.
I tend to say NO as well, so closing without GLSA.