[Pkg-privacy-maintainers] Bug#915859: Bug#915859: uses a fixed filename in /tmp

intrigeri intrigeri at debian.org
Fri Dec 7 12:04:57 GMT 2018


Hi,

Peter Palfrader:
> onionshare uses /tmp/onionshare_server.log as a logfile with --debug.

Good catch!

While that code obviously conflicts with basic secure programming best
practices, it seems to me that the default settings of the
fs.protected_symlinks and fs.protected_hardlinks sysctls protect
Debian users against exploitation, so I find RC severity hard to
justify given this only affects users who manually pass --debug under
a non-default sysctl/kernel configuration.

In any case, this should be fixed :)

Cheers,
-- 
intrigeri



More information about the Pkg-privacy-maintainers mailing list