Comment 1 for bug 1348241

from modules/Ubuntu/Components/plugin/statesaverbackend_p.cpp:

    m_archive = new QSettings(QString("%1/%2.state")
                              .arg(QStandardPaths::standardLocations(QStandardPaths::TempLocation)[0])
                              .arg(applicationName), QSettings::NativeFormat);

QStandardPaths::TempLocation is /tmp by default.

This gets CVE-2014-1420