Description: Avoid symlink vulnerability (CVE-2008-5141)
 https://security-tracker.debian.org/tracker/CVE-2008-5141
Author: dann frazier <dannf@debian.org>
Bug-Debian: https://bugs.debian.org/506350

Index: flamethrower-0.1.8/bin/flamethrower
===================================================================
--- flamethrower-0.1.8.orig/bin/flamethrower
+++ flamethrower-0.1.8/bin/flamethrower
@@ -9,6 +9,7 @@
 
 use strict;
 use File::Path;
+use File::Temp;
 use Getopt::Long;
 
 use lib "/usr/lib/flamethrower";
@@ -23,7 +24,7 @@ my $program_name    = "flamethrower";
 my $version_number  = "INS_VERSION";
 my $conf_file       = '/etc/flamethrower/flamethrower.conf';
 my $transport       = "udp-receiver";
-my $tmp_dir         = "/tmp/.flamethrower.$$";
+my $tmp_dir         = File::Temp::tempdir();
 
 
 my $version_info = <<"EOF";
@@ -283,13 +284,16 @@ sub flamethrower_client {
     #
     my $udp_cmd;
     my $tar_cmd;
+    my $tar_fh;
+    my $tar_file;
 
+    ($tar_fh, $tar_file) = File::Temp::tempfile();
     if($verbose) {
-        $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$";
-        $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+        $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file";
+        $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
     } else {
-        $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$ 2>/dev/null";
-        $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+        $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file 2>/dev/null";
+        $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
     }
 
     print "$udp_cmd\n" if($verbose);
@@ -298,7 +302,8 @@ sub flamethrower_client {
     print "$tar_cmd\n" if($verbose);
     !system($tar_cmd) or die("FAILED: $tar_cmd");
 
-    unlink("/tmp/multicast.tar.$$");
+    close $tar_fh;
+    unlink("$tar_file");
 }
 
 
