[Pkg-mozext-maintainers] Bug#740759: xpi-repack: insecure use of /tmp

Jakub Wilk jwilk at debian.org
Tue Mar 4 19:22:08 UTC 2014

Package: mozilla-devscripts
Version: 0.35
Severity: important
Tags: security patch

xpi-repack uses a subdirectory of /tmp with a predictable name. 
Malicious local user could exploit this flaw to cause denial of service, 
or, if they win the race, to tamper with the unpacked xpi.

Patch attached.

Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xpi-repack-mkdtemp.diff
Type: text/x-diff
Size: 903 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20140304/ab34c3a0/attachment.diff>

More information about the Pkg-mozext-maintainers mailing list