Comment 0 for bug 720112

Binary package hint: indicator-weather

indicator-weather doesn't not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:

if os.path.exists(pidPath):
    ... do stuff
else:
    self.lasterror=False

if not self.lasterror:
    fp=open(pidPath, 'w')
    fp.write(str(os.getpid()))
    fp.close()

This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails.