Re: CVS commit: pkgsrc/sysutils/gentoo

To: "David Holland" <dholland-pkgchanges%netbsd.org@localhost>
Subject: Re: CVS commit: pkgsrc/sysutils/gentoo
From: "OBATA Akio" <obache%netbsd.org@localhost>
Date: Mon, 26 Jan 2009 19:31:14 +0900

On Mon, 26 Jan 2009 13:44:56 +0900, David Holland 
<dholland-pkgchanges%netbsd.org@localhost> wrote:

> On Mon, Jan 26, 2009 at 10:12:43AM +0900, OBATA Akio wrote:
>  > > This is incorrect - you've introduced insecure-temporary-files.
>  > >
>  > > Please put patch-ae back, and revise it to use mkstemp() instead of
>  > > mkdtemp(). Perhaps something like this (untested):
>  >
>  > patch-ae was broken, and I don't think it is so insecure
>  > (maybe, should pass O_EXCL to open though).
>
> Not just maybe. It's fully insecure this way.
>
>  > If you think this issue should be fixed, please.
>
> I don't have time to do it right, but I'll commit what I've got. If it
> turns out not to work, we're no worse off than with the mkdtemp().

Just reported to upstream:
https://sourceforge.net/tracker/?func=detail&atid=406763&aid=2537314&group_id=32880

-- 
"Of course I love NetBSD":-)
OBATA Akio / obache%NetBSD.org@localhost

Follow-Ups:
- Re: CVS commit: pkgsrc/sysutils/gentoo
  - From: David Holland

References:
- CVS commit: pkgsrc/sysutils/gentoo
  - From: OBATA Akio
- Re: CVS commit: pkgsrc/sysutils/gentoo
  - From: David Holland
- Re: CVS commit: pkgsrc/sysutils/gentoo
  - From: OBATA Akio
- Re: CVS commit: pkgsrc/sysutils/gentoo
  - From: David Holland

Prev by Date: CVS commit: pkgsrc/multimedia/gst-plugins0.10-good
Next by Date: CVS commit: pkgsrc/multimedia/gstreamer0.10
Previous by Thread: Re: CVS commit: pkgsrc/sysutils/gentoo
Next by Thread: Re: CVS commit: pkgsrc/sysutils/gentoo
Indexes:

Home | Main Index | Thread Index | Old Index