Bug#756565: lives: Numerous insecure temporary files used in smogrify

[James Cowgill]

Hi,

On 20/09/16 02:56, salsaman wrote:
> first of all, I am the main developer of LiVES. Please cc the address
> salsaman+lives at gmail.com <mailto:salsaman%2Blives at gmail.com> to all
> future bugs related to LiVES.

You should go to https://tracker.debian.org/pkg/lives and press the
Subscribe button in the top right corner and you'll automatically get
CCed on all bug reports.

> Secondly, there is incorrect information in this bug report.
>>>
> 
> You'll see that $curtmpdir is set to /tmp/smogrify, via code such as:
> 
>         $handle=$ARGV[1];
>         $curtmpdir="$tmpdir/$handle";
> 
>>>
> 
> In fact $tmpdir is a bit of a misnomer, it points to the LiVES working
> directory, which is created for LiVES at install and chosen by the user,
> (or a subdirectory of this). $handle is a random number generated for
> the clip. So in this case it would be something like
> /home/user/livestmp/34736474/ or
> /home/user/livestmp/setname/clips/434637826/

I agree that the use of $tmpdir in this case should be fine, though as
the other bug report states, ~/livestmp is an annoying name. Probably
$XDG_CACHE_HOME/lives would be better.

> In fact /tmp is not used at all.
> 
> If there is a genuine problem here I would be happy to correct it.

I'm not sure about that though. Briefly looking at smogrify, I think the
use of /tmp for these files are still insecure:

/tmp/.smogrify.*
/tmp/.smogval*
/tmp/lives-symlinks/

Thanks,
James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160920/6f72746a/attachment.sig>