-------------------------------------------------------------------------- Debian Security Advisory DSA 341-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman July 7th, 2003 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : liece Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no liece, an IRC client for Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and liece, potentially with contents supplied by the attacker.
I committed liece-1.4.10-r1.ebuild (liece-1.4.10.ebuild is the latest stable) to fix insecure temporary file creation. I also added liece-2.0.0_alpha20030526.ebuild (alpha version of CVS snapshot), which doesn't seem to have the security hole. I'm working on patching up liece-1.4.7.ebuild but I fail to run liece-1.4.7.ebuild, so it will need some time to fix. (Should I mask it in package.mask for a while?)
Mamoru, Thanks for fixing this bug, I dont really see us sending out a GLSA after all this time if one has not already been sent. I'm changing resolution to FIXED