oss-sec mailing list archives
Re: caml-light insecure temporary files
From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 06 Nov 2011 22:59:34 +0100
* David Holland:
I don't know if anyone besides us still ships caml-light; it is long dead upstream and obsoleted by ocaml. AFAICT neither Debian nor Red Hat does. But just in case: it uses mktemp() insecurely, and also does unsafe things in /tmp during make install.
Moscow ML includes a copy of the affected code, and it's perhaps less obsolete than caml-light. It seems to be part of the FreeBSD ports collection.
Current thread:
- caml-light insecure temporary files David Holland (Nov 06)
- Re: caml-light insecure temporary files Florian Weimer (Nov 06)
- Re: caml-light insecure temporary files Eitan Adler (Nov 06)
- Re: caml-light insecure temporary files David Holland (Nov 08)
- Re: caml-light insecure temporary files Kurt Seifried (Nov 06)
- Re: caml-light insecure temporary files Florian Weimer (Nov 06)