[Pm-utils] pm-utils 1.2.1 and 188.8.131.52 released
mbiebl at gmail.com
Sat Oct 4 15:56:16 PDT 2008
thanks for the nice release.
2008/10/4 Victor Lowther <victor.lowther at gmail.com>:
> 1.2.1 Release Announcement
> * pm-utils has support for saving quirks as a HAL FDI file. If
> called with --store-quirks-as-fdi, an .fdi file specific to the
> machine and quirks passed on the command line will be written
> to /tmp/pm-utils-created.fdi.
This sounds dangerous, looks like insecure tmp file usage.
A malicious attacker could create a symlink and this way trick you
overwriting important files.
I see three posibilities:
1.) Use mktemp to create a random name (and tell the user the name).
2.) Store the file in /etc/hal/fdi, isn't it indented for that anyway?
3.) Dump the fdi file to stdout.
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
More information about the Pm-utils