See bug 235770.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5007 create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory.
lang-misc, are you alive?
Yes. At the time lang-misc@g.o was added to the CC list, lazarus-0.9.26 was already in the tree, which doesn't use /tmp for temporary files (instead uses ~/tmp), and lazarus never had stable keywords, so I'm not sure what you want us to do. If you want to see the old version gone from the tree, then no objections from me, but I don't see the need.
I'd personally prefer to see it removed, but your decision to keep it is ok, too. What I expected from you was feedback so that we can resolve the issue; as it's already fixed, and nothing left to do, I'm closing this. Thanks!
Is there any good reason to put temp files into ~/tmp ?
(In reply to comment #5) > Is there any good reason to put temp files into ~/tmp ? mktemp (or anything similar) is never mentioned in the mailing list thread about this issue, so I'd say upstream was either unaware of it or supports systems they know don't have mktemp. Without that, ~/tmp is more secure than /tmp. If you care, I can ask upstream about it.
(In reply to comment #6) > (In reply to comment #5) > > Is there any good reason to put temp files into ~/tmp ? > > mktemp (or anything similar) is never mentioned in the mailing list thread > about this issue, so I'd say upstream was either unaware of it or supports > systems they know don't have mktemp. Without that, ~/tmp is more secure than > /tmp. I just feel like putting temp files into ~/tmp violates the FHS. If mktemp's existence is an issue, one could either check for it and otherwise fallback to using ~/tmp or simply depend on it. It should be present on modern unix systems. > If you care, I can ask upstream about it. Great, thanks.
Upstream wants to use a fixed location so that running the same script multiple times will reuse the previous temporary directory. A successful run will remove the tempdir, but after failure the tempdir is kept around and meant to be kept around. This seems a reasonable desire to me, and given the choice between a fixed location in /tmp and a fixed location in ~/tmp (or any other private location), the former is far more troublesome.