Solar Designer did an audit of temp file handling in groff-1.20.
He found and fixed *lots* of ugliness, but most does not look
exploitable and some was already improved in groff-1.21.
This is my own fix for the only one that, with a huge amount of extra
paranoia, might be worth patching. To mount an exploit, the attacker
would need to trick root into setting an unusable TMPDIR (or similar)
variable in the environment such that mktemp -d fails, then convince
root to run pdfroff (*you* don't run that as root, do you?), then
handle a race condition to find the PID and predict the temp file
name to mount a symlink attack.
"I think we should still go for the fix" jasper@
2ad97ee4b1