[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: pkgsrc/sysutils/gentoo
On Tue, 27 Jan 2009 01:16:21 +0900, Adam Hoka <adam.hoka%gmail.com@localhost>
> OBATA Akio wrote:
>> On Mon, 26 Jan 2009 06:40:03 +0900, David Holland
>> <dholland-pkgchanges%netbsd.org@localhost> wrote:
>> > On Sun, Jan 25, 2009 at 01:12:44PM +0000, OBATA Akio wrote:
>> > > Modified Files:
>> > > pkgsrc/sysutils/gentoo: Makefile distinfo
>> > > Removed Files:
>> > > pkgsrc/sysutils/gentoo/patches: patch-ae
>> > >
>> > > Log Message:
>> > > Remove patch-ae.
>> > > It replace tmpnam() with mkdtemp(), but
>> > > * It exists since initial import, but no reason.
>> > > * mkdtemp(3) is not portable, but used unconditionally, reported by PR
>> > 39717.
>> > > * tmpnam(3) is used to get temp filename, but mkdtemp(3) create temp
>> > directory,
>> > > and return the path. So, the replacement is completely mistaken.
>> > >
>> > > Bump PKGREVISION.
>> > This is incorrect - you've introduced insecure-temporary-files.
>> > Please put patch-ae back, and revise it to use mkstemp() instead of
>> > mkdtemp(). Perhaps something like this (untested):
>> patch-ae was broken, and I don't think it is so insecure
>> (maybe, should pass O_EXCL to open though).
>> If you think this issue should be fixed, please.
> Symlink attacks can be quite nasty. :)
Yes, I don't like the situation, allow to try symlink attacks in tmpdir. :(
"Of course I love NetBSD":-)
OBATA Akio / obache%NetBSD.org@localhost
Main Index |
Thread Index |