[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: pkgsrc/sysutils/gentoo
On Mon, 26 Jan 2009 06:40:03 +0900, David Holland
> On Sun, Jan 25, 2009 at 01:12:44PM +0000, OBATA Akio wrote:
> > Modified Files:
> > pkgsrc/sysutils/gentoo: Makefile distinfo
> > Removed Files:
> > pkgsrc/sysutils/gentoo/patches: patch-ae
> > Log Message:
> > Remove patch-ae.
> > It replace tmpnam() with mkdtemp(), but
> > * It exists since initial import, but no reason.
> > * mkdtemp(3) is not portable, but used unconditionally, reported by PR
> > * tmpnam(3) is used to get temp filename, but mkdtemp(3) create temp
> > and return the path. So, the replacement is completely mistaken.
> > Bump PKGREVISION.
> This is incorrect - you've introduced insecure-temporary-files.
> Please put patch-ae back, and revise it to use mkstemp() instead of
> mkdtemp(). Perhaps something like this (untested):
patch-ae was broken, and I don't think it is so insecure
(maybe, should pass O_EXCL to open though).
If you think this issue should be fixed, please.
"Of course I love NetBSD":-)
OBATA Akio / obache%NetBSD.org@localhost
Main Index |
Thread Index |