Re: pkg/23337 (ispell's munchlist is unsafe (tmp usage))

To: reed%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost, reed%reedmedia.net@localhost
Subject: Re: pkg/23337 (ispell's munchlist is unsafe (tmp usage))
From: "Jeremy C. Reed" <reed%NetBSD.org@localhost>
Date: Mon, 9 Jan 2006 17:25:02 +0000 (UTC)

The following reply was made to PR pkg/23337; it has been noted by GNATS.

From: "Jeremy C. Reed" <reed%NetBSD.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: pkg/23337 (ispell's munchlist is unsafe (tmp usage))
Date: Mon, 9 Jan 2006 09:21:06 -0800 (PST)

 On Sun, 8 Jan 2006 salo%netbsd.org@localhost wrote:

 > ispell uses mktemp for quite some time now.

 In the case, that mktemp fails, then it is vulnerable again. Easy to make 
 it fail: just prepopulate all the possible combinations and then precreate 
 all your symlinks to have it overwrite files. (I provided different 
 patches to them back on Nov. 1, 2003.) Same problem in some other scripts 
 there too. I will email the ispell developers about this again.

     Jeremy C. Reed
                         ``Of course it runs NetBSD.''
                             http://www.NetBSD.org/

Prev by Date: pkg/32487: gmime updated to 2.1.17
Next by Date: Re: pkg/30660 (gpgme pkg should only be linked to libpthread in libgpgme-pthread)
Previous by Thread: Re: pkg/23337 (ispell's munchlist is unsafe (tmp usage))
Next by Thread: Re: pkg/29726 (Clamav-0.83 fails to build with pkgsrc srcs taken from pkg-src-2004Q4)
Indexes:

Home | Main Index | Thread Index | Old Index