Re: CVS commit: pkgsrc/sysutils/gentoo

["OBATA Akio" <obache%netbsd.org@localhost>]

On Tue, 27 Jan 2009 01:16:21 +0900, Adam Hoka <adam.hoka%gmail.com@localhost> 
wrote:

> OBATA Akio wrote:
>
>> On Mon, 26 Jan 2009 06:40:03 +0900, David Holland 
>> <dholland-pkgchanges%netbsd.org@localhost> wrote:
>>
>> > On Sun, Jan 25, 2009 at 01:12:44PM +0000, OBATA Akio wrote:
>> >  > Modified Files:
>> >  >         pkgsrc/sysutils/gentoo: Makefile distinfo
>> >  > Removed Files:
>> >  >         pkgsrc/sysutils/gentoo/patches: patch-ae
>> >  >
>> >  > Log Message:
>> >  > Remove patch-ae.
>> >  > It replace tmpnam() with mkdtemp(), but
>> >  >  * It exists since initial import, but no reason.
>> >  >  * mkdtemp(3) is not portable, but used unconditionally, reported by PR 
>> > 39717.
>> >  >  * tmpnam(3) is used to get temp filename, but mkdtemp(3) create temp 
>> > directory,
>> >  >    and return the path.  So, the replacement is completely mistaken.
>> >  >
>> >  > Bump PKGREVISION.
>> >
>> > This is incorrect - you've introduced insecure-temporary-files.
>> >
>> > Please put patch-ae back, and revise it to use mkstemp() instead of
>> > mkdtemp(). Perhaps something like this (untested):
>>
>> patch-ae was broken, and I don't think it is so insecure
>> (maybe, should pass O_EXCL to open though).
>>
>> If you think this issue should be fixed, please.
>
> Symlink attacks can be quite nasty. :)

Yes, I don't like the situation, allow to try symlink attacks in tmpdir. :(

-- 
"Of course I love NetBSD":-)
OBATA Akio / obache%NetBSD.org@localhost