From the Debian bug at $URL:
/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary
files insecurely, with predictable names (/tmp/_depend<PID>), and
without using $TMPDIR.
To reproduce, run the depend target in a BSD package like csh:
/tmp/csh-20070713$ pmake -dx depend 2>&1 | grep /tmp/_depend
+ mv /tmp/_depend7338 .depend
This applies to both lenny and squeeze. Upstream is not affected as the
code was eliminated back in 2003:
Patch to use mktemp(1):
Even though the Debian bug says that upstream is not affected, I just checked our =sys-devel/pmake-1.111.1-r1 and it looks affected.
pmake-188.8.131.52 has the fix
(In reply to comment #1)
> pmake-184.108.40.206 has the fix
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
x86 stable. Thanks
amd64 done. Thanks Agostino and Ian
Thanks, folks. GLSA Vote: yes.
Have this gone to GLSA or not yet? Is there any actions bsd team should take?
(In reply to comment #11)
> Have this gone to GLSA or not yet? Is there any actions bsd team should take?
There is no action for the bsd team. The security team has it from here. Thanks.
Vote: YES. New GLSA request filed.
nothing left to do for bsd
This issue was resolved and addressed in
GLSA 201310-17 at http://security.gentoo.org/glsa/glsa-201310-17.xml
by GLSA coordinator Sergey Popov (pinkbyte).