[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: pkgsrc/sysutils/gentoo
On Mon, Jan 26, 2009 at 07:31:14PM +0900, OBATA Akio wrote:
> > > > This is incorrect - you've introduced insecure-temporary-files.
> > > >
> > > > Please put patch-ae back, and revise it to use mkstemp() instead of
> > > > mkdtemp(). Perhaps something like this (untested):
> > >
> > > patch-ae was broken, and I don't think it is so insecure
> > > (maybe, should pass O_EXCL to open though).
> > Not just maybe. It's fully insecure this way.
> > > If you think this issue should be fixed, please.
> > I don't have time to do it right, but I'll commit what I've got. If it
> > turns out not to work, we're no worse off than with the mkdtemp().
> Just reported to upstream:
(I just stuck this url in the patch file.)
David A. Holland
Main Index |
Thread Index |