gnome-color-manager uses predictable file names in /tmp in a few places. The first instance is in gcm-hull-widget.c, function gcm_hull_widget_add(). Other instances are in gcm-calibrate.c, via working_path (which is initialized to /tmp). I believe that this is not a security issue because of the way glib creates this files (no symlink/hard link attacks are possible), but if the file remains in /tmp for some reason, other users cannot use this functionality.
(In reply to Florian Weimer from comment #0) > gnome-color-manager uses predictable file names in /tmp in a few places. First, thanks for the security review. > The first instance is in gcm-hull-widget.c, function gcm_hull_widget_add(). This is a valid upstream bug, but we don't actually use this code in RHEL as we don't have libmash, and hence don't use any of the *Hull* code at all. For upstream, I've committed this: commit 42ae05a8914f8f1adc52e5296b281f0bc5080718 Author: Richard Hughes <richard> Date: Tue Jul 30 09:36:53 2013 +0100 Do not use a predictable name when saving the PLY temp file Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=958088 > Other instances are in gcm-calibrate.c, via working_path (which is > initialized to /tmp). Again, we don't use gcm-calibrate*.* in RHEL, as we don't have argyllcms. I'm working upstream to move this functionality down to colord, so in the next branch this file will probably not exist. Argyllcms creates it's own temp files with unique names in Fedora, so I think this is fine for now. > but if the file > remains in /tmp for some reason, other users cannot use this functionality. Agreed. I'll mark this NOTABUG from a RHEL7 point of view, but push that PLY fix into F19 and rawhide. Thanks.