<<< Date Index >>>     <<< Thread Index >>>

bug#1732: marked as done (mutt auto_view insecure temp file creation)



Your message dated Sun, 7 Dec 2003 15:43:37 +0100
with message-id <20031207144337.GT5808@xxxxxxxxxxxxxxxxxxxxxxxxxx>
and subject line bug#1732: mutt auto_view insecure temp file creation
has caused the attached bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Herr der Kaefer
(administrator, GUUG bugs database)

--------------------------------------
Received: (at submit) by bugs.guug.de; 7 Dec 2003 11:24:17 +0000
>From arturcz@xxxxxxxxxxxxxxxx Sun Dec 07 12:24:15 2003
Received: from blabluga.hell.pl ([62.121.102.27] ident=postfix)
        by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
        id 1ASx1L-000060-00
        for <submit@xxxxxxxxxxxx>; Sun, 07 Dec 2003 12:24:15 +0100
Received: by blabluga.hell.pl (Postfix, from userid 1000)
        id 2708118814; Sun,  7 Dec 2003 12:26:48 +0100 (CET)
From: Artur R.Czechowski <arturcz@xxxxxxx>
To: submit@xxxxxxxxxxxx
Subject: mutt auto_view insecure temp file creation
X-GUUG-CC: 222125@xxxxxxxxxxxxxxx
Message-Id: <20031207112648.2708118814@xxxxxxxxxxxxxxxx>
Date: Sun,  7 Dec 2003 12:26:48 +0100 (CET)
X-Spam-Status: No, hits=-5.9 required=5.0
        tests=AWL,BAYES_10
        version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

Package: mutt
Version: 1.3.28-2.2
Severity: normal

[NOTE: this bug report has been submitted to the debian BTS as Bug#222125.
Please Cc all your replies to 222125@xxxxxxxxxxxxxxx .]

From: Brian Ristuccia <brian@xxxxxxxxxxxxx>
Subject: mutt auto_view insecure temp file creation
Date: Tue, 25 Nov 2003 13:53:29 -0500

It seems mutt always picks the same filename when autoviewing HTML mime
parts, /tmp/mutt.html. Depending on how careful it is about opening the
file, this could result in all sorts of trouble. Suggest using tmpfile(3)
or something similar instead. 

-- 
Brian Ristuccia
brian@xxxxxxxxxxxxx
bristucc@xxxxxxxxxx



---------------------------------------
Received: (at 1732-done) by bugs.guug.de; 7 Dec 2003 16:45:06 +0000
>From roessler+bounce@xxxxxxxxxxxxxxxxxx Sun Dec 07 17:45:03 2003
Received: from does-not-exist.info ([217.160.221.198] 
helo=kamino.does-not-exist.org)
        by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
        id 1AT21n-0006Mi-00
        for <1732-done@xxxxxxxxxxxx>; Sun, 07 Dec 2003 17:45:03 +0100
Received: from voyager.does-not-exist.org (p3E9B9EB0.dip0.t-ipconnect.de 
[62.155.158.176])
        (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
        (No client certificate requested)
        by kamino.does-not-exist.org (Postfix) with ESMTP
        id E69A43140D5; Sun,  7 Dec 2003 17:47:38 +0100 (CET)
Received: by voyager.does-not-exist.org (Postfix, from userid 500)
        id 951A68068; Sun,  7 Dec 2003 15:43:37 +0100 (CET)
Date: Sun, 7 Dec 2003 15:43:37 +0100
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
To: "Artur R.Czechowski" <arturcz@xxxxxxx>, 1732-done@xxxxxxxxxxxx
Cc: 222125@xxxxxxxxxxxxxxx
Subject: Re: bug#1732: mutt auto_view insecure temp file creation
Message-ID: <20031207144337.GT5808@xxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <20031207112648.2708118814@xxxxxxxxxxxxxxxx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031207112648.2708118814@xxxxxxxxxxxxxxxx>
User-Agent: Mutt/1.5.5.1i
X-Spam-Status: No, hits=-108.5 required=5.0
        tests=AWL,BAYES_10,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
              REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT,
              USER_IN_WHITELIST
        autolearn=ham version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

On 2003-12-07 12:26:48 +0100, Artur R.Czechowski wrote:

> It seems mutt always picks the same filename when autoviewing
> HTML mime parts, /tmp/mutt.html. Depending on how careful it is
> about opening the file, this could result in all sorts of
> trouble. Suggest using tmpfile(3) or something similar instead. 

mutt is as careful about opening that file as it is about opening a
temporary file whose name was generated using tmpfile -- in fact,
when mutt.html is not available, mutt will use a tmpfile-like
mechanism for making up a new file name.

Regards,
-- 
Thomas Roessler                       <roessler@xxxxxxxxxxxxxxxxxx>