Hi, I (re?)discovered an entertaining way to introduce tmpfile vulnerabilities while using the right tools (tempfile/mktemp). The general pattern is: TEMPFILE=`tempfile`.suffix as opposed to TEMPFILE=`tempfile --suffix .suffix` An attacker can monitor /tmp using inotify, wait for the relevant file to be created and can the quickly create the corresponding tmpfile.suffix symbolic link to escalate privileges. This can be found in: 1) localepurge http://bugs.debian.org/736359 $ grep tempfile -r . ./debian/postrm: DEBREINSTALL="$(tempfile).$$" ./debian/localepurge.config:TEMPFILE=$(tempfile).$$ ./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen $ The localepurge package is Debian-specific. The relevant runs at installation time as root. 2) syncevolution http://bugs.debian.org/736357 $ grep 'mktemp`\.' -r . ./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx ./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o $ The relevant code is part of the upstream package and is executed at build time. 3) axiom (packaging) http://bugs.debian.org/736358 $ grep 'tempfile).' -r . ./debian/axiom-test.sh:k=$(tempfile).input $ The relevant code is part of the Debian packaging (upstream axiom is not affected). It can be used on Debian systems to run the test suite when the relevant package is installed. The Debian bug reports are the initial public mentioning of these particular issues. Please assign CVE identifiers as needed.