Bug#756565: lives: Numerous insecure temporary files used in smogrify
salsaman
salsaman+lives at gmail.com
Sun Sep 25 22:02:40 UTC 2016
All issues noted above have been fixed. In addition:
- the terminology has been changed throughout to try to be less confusing.
The directory is now referred to as the "LiVES working directory"
everywhere.
For example prefs->tmpdir is now prefs->workdir in the C code, and $tmpdir
is now $workdir in Perl. The only exception is in the .lives config file
where the text <tmpdir> and <session_tmpdir> must be retained for backwards
compatilbility.
- there were a couple of playback plugins where /tmp was the default for
creating a fifo file inside. Even though the user could overwrite this, the
default has now been changed to create these files in the LiVES working
directory.
- the command "smogrify get_tempdir" has been left alone for backwards
compatibility but is marked as deprecated in the source file. A new
directive "smogrify get_workdir" has been created, this latter version
writes to stdout and other applications may read this with popen().
- a couple of places where LiVES was creating temporary files in /tmp have
been altered to create these in the working directory instead.
I believe that all issues have been addressed. I will continue testing and
examining the code over the next few days to confirm this.
Relevant patches:
https://sourceforge.net/p/lives/code/2570
https://sourceforge.net/p/lives/code/2571
https://sourceforge.net/p/lives/code/2572
https://sourceforge.net/p/lives/code/2573
https://sourceforge.net/p/lives/code/2577
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160925/00bf2cfa/attachment-0001.html>
More information about the pkg-multimedia-maintainers
mailing list