libopts build hardcodes /tmp/ path which is a security issue
Brought to you by:
bkorb
the autoopts Makefile.am will always create a libopts tarball which invokes the pkg/libopts/mklibsrc.sh script which in turn has a hardcoded path:
exec 2> /tmp/mklibsrc-log.tx
this is a security issue: if someone else creates a symlink there, it could be used to clobber arbitrary files. it should be deleted altogether, or use mktemp, or write the output to the same place as the tarball.
reported here:
https://bugs.gentoo.org/show_bug.cgi?id=563352
hmm, looks like this was fixed in commit f303a1d5d8d8e002974eb64818f74041325f2433, but hasn't made it into a release yet
Hmm. Looks like I'll just close this as "works for me".
you probably want to cut a new release and add a NEWS/ChangeLog entry noting the versions with this security issue in it. as it stands, building the latest versions on a shared system is unsafe.
OK. It was obviously dinkleberry debug stuff that ought to have been removed years ago....