oss-sec mailing list archives
Re: CVE id request: mktemp
From: Nico Golde <oss-security+ml () ngolde de>
Date: Mon, 18 Aug 2008 13:57:20 +0200
Hi Todd, * Todd C. Miller <Todd.Miller () courtesan com> [2008-08-18 13:54]:
In message <20080818085956.GB29717 () suse de> so spake Sebastian Krahmer (krahmer):BTW, mktemp(1) is using O_EXCL anyway, so I dont see an issue. Additionally all of our scripts use more than 6 X' as also shown in the example section of the manpage. We are not going to release updates for this non-issue.I don't think it is a security issue either. Vendors can also just configure mktemp with the --with-libc flag to use the libc mkstemp()/mkdtemp() functions instead of the bundled version if they prefer.
I disagree because mktemp offers the functionality of just creating the file name and instantly unlinking it thus only providing the generation of a random name. While I don't think that many scripts rely on this it can be the case. --with-libc is not used by some vendors because it limits the template used for the file name. mktemp from coreutils should be a better choice any way... Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE id request: mktemp Nico Golde (Aug 15)
- Re: CVE id request: mktemp Todd C. Miller (Aug 15)
- Re: CVE id request: mktemp Sebastian Krahmer (Aug 18)
- Re: CVE id request: mktemp Nico Golde (Aug 18)
- Re: CVE id request: mktemp Todd C. Miller (Aug 18)
- Re: CVE id request: mktemp Steven M. Christey (Aug 18)
- Re: CVE id request: mktemp Nico Golde (Aug 18)
- Re: CVE id request: mktemp Nico Golde (Aug 18)
- Re: CVE id request: mktemp Todd C. Miller (Aug 18)
- Re: CVE id request: mktemp Nico Golde (Aug 18)