[Secure-testing-team] Bug#500611: jumpnbump: insecure use of /tmp

[Ansgar Burchardt]

Package: jumpnbump
Version: 1.50-6
Severity: grave
Tags: security
Justification: user security hole

Hi,

jumpnbump uses files in the /tmp directory in an unsafe manner:

 * jumpnbump-menu calls `convert' on files in /tmp, this allows
   another user to overwrite arbitrary files via symlinks.
   The patch for #500340 should solve this.

 * jumpnbump-menu calls `jumpnbump-unpack' in /tmp, same problem
   (this only affects the version in Etch, the version in Lenny is
   broken)
   The patch above addresses this as well.

 * in sdl/sound.c:509, the file "/tmp/jnb.tmpmusic.mod" is opened
   for writing

 * jumpnbump-unpack should not follow symlinks when overwriting files
   (makes it at least more safe if called in /tmp)

I think the last point is not as critical as the others, as the user
will have to start jumpnbump-unpack in a directory writable by others.

Regards,
Ansgar