The x11-misc/adesklets specifies a location in /tmp for log storage. An attacker could create the file /tmp/adesklets_log.pid* as a symlink to arbitrary files on the system, and possibly overwrite those files, upon adesklets filing a log entry. The ebuild should specify a log location that is not in a world accessible directory.
s4t4n please advise.
Well, adesklets runs with the privileges of the user who launched it, so this would be an issue only if that user is root (silly thing)... Also, this log file gets created only if debug is in USE. Anyway, I just committed to Portage a small change to the ebuilds so that log files are created in user home directories instead of /tmp; methinks it should be enough.
No feedback, closing. Feel free to reopen if necessary...
(In reply to comment #3) > No feedback, closing. Feel free to reopen if necessary... > I agree. "INVALID" would even be appropriate.