Bug#898383: srs: /tmp/srsd socket schould not be in /tmp
gregor herrmann
gregoa at debian.org
Fri May 11 00:52:18 BST 2018
On Fri, 11 May 2018 00:08:52 +0200, Martin Burmester wrote:
> /tmp is a bad place for the srsd socket. Unfortunately that pathname is
> hardcoded (/usr/bin/srsd, line 15). It is probably not an exploitable
> insecure tempfile creation, nonetheless it should not be there.
And in some other places, in case we want to add a patch:
% grep -r /tmp/srsd
eg/exim/srs.conf: address_data = ${readsocket{/tmp/srsd}\
eg/exim/srs.conf: address_data = ${readsocket{/tmp/srsd}\
eg/exim/srs.conf:#^(?i:srs0[-+=]) ${readsocket{/tmp/srsd}{REVERSE $0\n}{5s}{\n}\
eg/exim/srs.conf:#^(?i:srs1[-+=]) ${readsocket{/tmp/srsd}{REVERSE $0\n}{5s}{\n}\
eg/exim/srs.conf:#* ${readsocket{/tmp/srsd}{FORWARD $0 SRSDOMAIN}{5s}{\n}\
lib/Mail/SRS/Daemon.pm:$SRSSOCKET = '/tmp/srsd';
srsd:$PATH = '/tmp/srsd';
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`- NP: Element of Crime: Finger weg von meiner Paranoia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20180511/611e51a4/attachment.sig>
More information about the pkg-perl-maintainers
mailing list