|Subject:||PAR packed files are extracted to unsafe and predictable temporary directories|
par_mktmpdir() makes no effort to verify that the /tmp/par-<username> directory is safe to use (owned by the correct UID and GID, not world writable, no symlinks in the path that are owned by another user.) This makes PAR packed scripts unsafe on multiuser systems. Example: 1) start with a clean /tmp (reboot the system, tmpwatch, etc.) 2) attacker does mkdir /tmp/par-victim 3) victim runs a PAR packed program 4) attacker now moves the cache directory aside and copies it back to its original location so that all she owns all of the files and can modify them at will. 5) victim runs the PAR packed program again and is now executing attacker's code.