From owner-freebsd-audit Thu Nov 2 19:12:54 2000 Delivered-To: freebsd-audit@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 4E1AA37B4C5; Thu, 2 Nov 2000 19:12:52 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id WAA409282; Thu, 2 Nov 2000 22:12:33 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Thu, 2 Nov 2000 22:12:32 -0500 To: Mike Heffner From: Garance A Drosihn Subject: Re: sort(1) tempfile patch Cc: Kris Kennaway , audit@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 6:06 PM -0500 11/2/00, Mike Heffner wrote: >It was just never applied, I had submitted a PR about it too, >(bin/16929) and got the reply: > >From: Tim Vanderhoek > To: freebsd-gnats-submit@FreeBSD.org, spock@techfour.net > Subject: Re: bin/16929: [PATCH] prevent possible race condition > Date: Tue, 16 May 2000 00:36:58 -0400 (EDT) > > > sort can create the following predictable tempfiles: > > /tmp/sort{pid}{seq} > > It appears that the security implications of this have > already been fixed in rev.1.11 of src/gnu/usr.bin/sort/sort.c. > >so nothing was really done about it. Does that imply the security issue is already fixed (one way or another) in rev 1.11, but that we never upgraded to rev 1.11? I mean, if the security implications were addressed, then what is it that prompts Kris's update. -- --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message