Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>: Bug#488140; Package checkinstall.
(full text, mbox, link).
Acknowledgement sent to Felipe Sateler <fsateler@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>.
(full text, mbox, link).
Package: checkinstall
Version: 1.6.1-6
Severity: grave
Tags: security patch
Justification: user security hole
*** Please type ddyour report below this line ***
Checkinstall (and installwatch) create temporary directories manually
instead of using mktemp, which creates a race condition.
The attached patch changes these into calls to mktemp, which is secure.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.25-preempt (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages checkinstall depends on:
ii dpkg-dev 1.15.0 Debian package development tools
ii file 4.24-2 Determines file type using "magic"
ii findutils 4.4.0-2 utilities for finding files--find,
ii libc6 2.7-12 GNU C Library: Shared libraries
Versions of packages checkinstall recommends:
ii make 3.81-5 The GNU version of the "make" util
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Sateler <fsateler@gmail.com>: Bug#488140; Package checkinstall.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Felipe Sateler <fsateler@gmail.com>.
(full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.