Re: CVE id request: mktemp

[Nico Golde <oss-security+ml () ngolde de>]

Hi Todd,
* Todd C. Miller <Todd.Miller () courtesan com> [2008-08-18 13:54]:
> In message <20080818085956.GB29717 () suse de>
>       so spake Sebastian Krahmer (krahmer):
>
> > BTW, mktemp(1) is using O_EXCL anyway, so I dont see
> > an issue. Additionally all of our scripts use
> > more than 6 X' as also shown in the
> > example section of the manpage. We are not going to
> > release updates for this non-issue.
>
> I don't think it is a security issue either.  Vendors can also just
> configure mktemp with the --with-libc flag to use the libc
> mkstemp()/mkdtemp() functions instead of the bundled version if
> they prefer.

I disagree because mktemp offers the functionality of just 
creating the file name and instantly unlinking it thus only 
providing the generation of a random name. While I don't 
think that many scripts rely on this it can be the case.

--with-libc is not used by some vendors because it limits 
the template used for the file name. mktemp from coreutils 
should be a better choice any way...

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: