pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: pkgsrc/sysutils/gentoo



On Mon, 26 Jan 2009 06:40:03 +0900, David Holland 
<dholland-pkgchanges%netbsd.org@localhost> wrote:

> On Sun, Jan 25, 2009 at 01:12:44PM +0000, OBATA Akio wrote:
>  > Modified Files:
>  >    pkgsrc/sysutils/gentoo: Makefile distinfo
>  > Removed Files:
>  >    pkgsrc/sysutils/gentoo/patches: patch-ae
>  >
>  > Log Message:
>  > Remove patch-ae.
>  > It replace tmpnam() with mkdtemp(), but
>  >  * It exists since initial import, but no reason.
>  >  * mkdtemp(3) is not portable, but used unconditionally, reported by PR 
> 39717.
>  >  * tmpnam(3) is used to get temp filename, but mkdtemp(3) create temp 
> directory,
>  >    and return the path.  So, the replacement is completely mistaken.
>  >
>  > Bump PKGREVISION.
>
> This is incorrect - you've introduced insecure-temporary-files.
>
> Please put patch-ae back, and revise it to use mkstemp() instead of
> mkdtemp(). Perhaps something like this (untested):

patch-ae was broken, and I don't think it is so insecure
(maybe, should pass O_EXCL to open though).

If you think this issue should be fixed, please.

-- 
"Of course I love NetBSD":-)
OBATA Akio / obache%NetBSD.org@localhost


Home | Main Index | Thread Index | Old Index