From CVE-2008-5371 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5371)
screenie in screenie 1.30.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.screenie.##### temporary file.
I asked Marc, if he is getting this fixed, and he replied:
Sorry Craig, I do not have time to make changes on my OSS projects anymore, therefore I released the tool as OSS.
Debian has a patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509332#10
Ali, can you have a look at this?
Arches, please test and mark stable:
Target keywords : "amd64 hppa ia64 sparc x86"
+*screenie-1.30.0-r1 (08 Jun 2009)
+ 08 Jun 2009; Alex Legler <firstname.lastname@example.org> +screenie-1.30.0-r1.ebuild,
+ Non-maintainer commit: Applying patch for CVE-2008-5371, bug 250476.
Stable for HPPA.
amd64 stable, all arches done.
Vulnerable version removed.
GLSA voting, please.
As the Debian Symlink vulnerabilities usually got a GLSA, I vote YES.
Yes, too. Request filed.