From owner-freebsd-ports  Wed Jun  7 11:48:34 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id B5D2937B9CC; Wed,  7 Jun 2000 11:48:32 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id LAA16374;
	Wed, 7 Jun 2000 11:48:32 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Wed, 7 Jun 2000 11:48:32 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: mi@privatelabs.com
Cc: sobomax@FreeBSD.org, freebsd-ports@FreeBSD.org
Subject: Re: Call for arbitrage [Fwd: Re: ports/19047: net/arpwatch patched
  to use  tmpfile() instead of mktemp()]
In-Reply-To: <200006071555.LAA92187@misha.privatelabs.com>
Message-ID: <Pine.BSF.4.21.0006071141160.15405-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 7 Jun 2000 mi@privatelabs.com wrote:

> = int fd;
> = FILE *fp;
> = 
> = if ((fd = mkstemp(foo)) == -1) {
> = 	err(1, "mkstemp");
> = } else {
> = 	unlink(fd);
> = }
> = if ((fp = fdopen(fd, "w+")) == NULL)
> = 	err(1, "fdopen");
> = 
> = ...
> 
> Thank  you, Kriss,  for agreeing  to  moderate, but  your suggestion  in
> itself is not applicable:
> 

>   	     int unlink(const char *pathname);

unlink(foo);

> = This  method  is   portable  across  platforms,  and   can  safely  be
> = reintegrated by the software author.
> 
> The use of tmpfile is no less portable then the use of err :-). At least
> tmpfile _exists_  on other systems,  even if it  is not really  a secure
> solution  on some  of  them  (which ones?  is  arpwatch  even ported  to
> others?)

So don't use err() - it's hardly the critical part of the sample code I
posted.

The danger is that tmpfile exists, *but has different, insecure
semantics*, on other platforms, and so the code may compile but be even
more insecure than now. That's unacceptable.

> However, I'm glad I  was able to spot the ld's warning  about the use of
> mktemp and will now rest. The submitted patch works and is secure on all
> of the  BSDs -- the  users of the  ports tree. The  arpwatch maintainers
> will create their own anyway, I suspect.

As ports security officer, I'm requesting that you either rewrite the
patch to solve the problem correctly, or let the PR be closed.

This is not about what's easiest to code or what suits your "ego", it's
about what is secure on all platforms. I don't want to see patches using
tmpfile() going into ports.

Thanks,

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message