vulnerable to symlink attack via insecure /tmp directory or file

Patched for natty and oneiric.

Tested and confirmed that moving the directories works.

Please find attached, debdiff for 10.10 Maverick.

Hi Zubin - Thanks for the debdiff! A few comments:

1) What did you base your patch off of? The patch in the Debian BTS is slightly different. Your version seems to make a few more changes.

2) The changelog is not formatted as specified in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the debdiff is updated.

Hi! The changes I had made were based on a patch that was sent to the mailing list thread at [1], aand here's a link to the patch[2].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=24;filename=nmudiff.atop;att=1;bug=622794

Hi, I'm uploading a second debdiff file with changes as in the above link and a corrected changelog.

Hi Zubin - The changelog looks pretty good, but now I see that you are using the exact patch from Debian. I thought that you were intentionally diverging from the Debian patch in your first debdiff.

Since Lucid and Maverick shipped version 1.23-1 and Squeeze has fixed the issue in 1.23-1+squeeze1, it is best for us to do a security fake sync[1] from the updated Debian Squeeze package. I hope that makes sense and I'm sorry for the earlier confusion.

[1]: https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Sync_request_bugs

This bug was fixed in the package atop - 1.23-1+squeeze1build0.10.10.1

---------------
atop (1.23-1+squeeze1build0.10.10.1) maverick-security; urgency=low

  * fake sync from Debian

atop (1.23-1+squeeze1) stable; urgency=high

  * Non-maintainer upload.
  * Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and
    acctproc.c (Closes: #622794)
 -- Tyler Hicks <email address hidden> Fri, 10 Feb 2012 13:01:13 -0600