[Pkg-privacy-maintainers] Bug#915859: Bug#915859: uses a fixed filename in /tmp
Peter Palfrader
weasel at debian.org
Fri Dec 7 12:06:38 GMT 2018
On Fri, 07 Dec 2018, intrigeri wrote:
> Hi,
>
> Peter Palfrader:
> > onionshare uses /tmp/onionshare_server.log as a logfile with --debug.
>
> Good catch!
>
> While that code obviously conflicts with basic secure programming best
> practices, it seems to me that the default settings of the
> fs.protected_symlinks and fs.protected_hardlinks sysctls protect
> Debian users against exploitation, so I find RC severity hard to
> justify given this only affects users who manually pass --debug under
> a non-default sysctl/kernel configuration.
>
> In any case, this should be fixed :)
In addition to the security issues of bad tempfile handling, it causes
onionshare to break for me as on this system several users run
onionshare.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
More information about the Pkg-privacy-maintainers
mailing list