Ubuntu
f-spot package

Insecure temporary file creation in strace option

Bug #782862 reported by Emanuel Bronshtein on 2011-05-15

268

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	f-spot (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Binary package hint: f-spot

strace option inside /usr/bin/f-spot create temporary file with fixed name "f-spot.strace" under /tmp .

test case :
emanuel@emanuel-desktop:/tmp$ f-spot --strace
emanuel@emanuel-desktop:/tmp$ ls f-spot*
f-spot.strace

the bug can be found at :
elif $run_strace; then
strace -ttt -f -o /tmp/f-spot.strace mono $MONO_OPTIONS $EXE_TO_RUN "$@"

fix :
use mktemp instead : `mktemp "/tmp/f-spot.strace.XXXXXX"`

Tags:

David (d--) on 2011-07-08

Changed in f-spot (Ubuntu):
status:	New → Confirmed

Marc Deslauriers (mdeslaur) on 2011-07-08

security vulnerability:

no → yes

B Bobo (yout-bobo123) on 2011-12-29

tags:

added: f-spot security vulnerability

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.