Comment 4 for bug 2043711
Revision history for this message
| Andrew J. Caines (cainesaj) wrote Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
@vorlon, Thank you for your considered response. I concur that this is not a vulnerability in the Ubuntu perl package.
While I do not disagree with any of the points you make, the fact remains that processes running as root created a file directly in /tmp not using a safe *mktemp* process and later ran the code in that file. The risks of doing this are sufficiently well understood, as the preferable alternatives.
Given that that this quite vanilla Ubuntu system and that this behaviour was only observed as a result of the reasonable and fairly common configuration of mounting `/tmp` with *noexec* and did so while running updates in a fully supported manner, i.e. with *Software Updater*, this remains a bug with a directly associated security risk. That is to say - as you expressed it - this comes from an Ubuntu package, though I don't know which.
Do you recommend that I do anything other than change the Package to "debconf" and Status to "New"?
@juliank, *apt-utils* is installed.