[Pkg-privacy-maintainers] Bug#915859: Bug#915859: uses a fixed filename in /tmp
intrigeri
intrigeri at debian.org
Fri Dec 7 12:04:57 GMT 2018
Hi,
Peter Palfrader:
> onionshare uses /tmp/onionshare_server.log as a logfile with --debug.
Good catch!
While that code obviously conflicts with basic secure programming best
practices, it seems to me that the default settings of the
fs.protected_symlinks and fs.protected_hardlinks sysctls protect
Debian users against exploitation, so I find RC severity hard to
justify given this only affects users who manually pass --debug under
a non-default sysctl/kernel configuration.
In any case, this should be fixed :)
Cheers,
--
intrigeri
More information about the Pkg-privacy-maintainers
mailing list