[debian-mysql] Bug#663245: mylvmbackup: possible insecure temporary file creation

[Stevie Trujillo]

Package: mylvmbackup
Version: 0.13-1
Severity: normal

/usr/bin/mylvmbackup:
line 40   my $TMP= ($ENV{TMPDIR} || "/tmp");
line 619  my $command="echo 'select 1;' | $mysqld_safe --socket=$TMP/mylvmbackup.sock --pid-file=$pidfile --log-error=$TMP/mylvmbackup_recoverserver.err --datadir=$mountdir/$relpath --skip-networking --skip-grant --bootstrap --skip-ndbcluster --skip-slave-start";

I have no idea how MySQL works, but assuming it writes to --log-error=$TMP/mylvmbackup_recoverserver.err
I think bad things might happen if it's symlinked to another place?


Also, is there a reason
#518471 - mylvmbackup: Too wide permissions for tarballs
is not in Debian Stable?

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mylvmbackup depends on:
ii  libconfig-inifiles-perl       2.52-1     Read .ini-style configuration file
ii  libdbd-mysql-perl             4.016-1    Perl5 database interface to the My
ii  libtimedate-perl              1.2000-1   collection of modules to manipulat
ii  lvm2                          2.02.66-5  The Linux Logical Volume Manager

mylvmbackup recommends no packages.

Versions of packages mylvmbackup suggests:
ii  mysql-server                  5.1.49-3   MySQL database server (metapackage
ii  mysql-server-5.1 [mysql-serve 5.1.49-3   MySQL database server binaries and

-- Configuration Files:
/etc/mylvmbackup.conf [Errno 13] Permission denied: u'/etc/mylvmbackup.conf'

-- no debconf information