COMMAND

    Midnight Commander

SYSTEMS AFFECTED

    Linux, (others?)

PROBLEM

    Adrian Voinea found following.  mc 4.5.0 creates a temporary  file
    in /tmp when it's started.  It's called talk.fish and has the mode
    644.  If  a user would  link the file  to /etc/passwd or  anything
    else, when  the root  would start  mc, the  file would  be erased.
    There are more  /tmp/ holes in  midnight commander, beware.  Extfs
    scripts contain some.

SOLUTION

    This  is  fixed  in  CVS  and  fixed on the released 4.5.1 version
    available in:

        ftp://ftp.nuclecu.unam.mx/linux/local/devel

    Please  note  as  that  versions  4.5.xx of Midnight Commander are
    development version of Midnight  Commander, so they should  not be
    part of an OS distribution.  The stable version is version 4.1.36.
    Users of 4.5.0 are urged to upgrade to 4.5.1

    Workaround is  to create  /tmp/talk.fish yourself,  so that  noone
    can put symlink there.