Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 05 Feb 2002 23:34:03 +1000
From:      Stephen McKay <mckay@thehub.com.au>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        Ian Dowse <iedowse@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, mckay@thehub.com.au
Subject:   Re: cvs commit: src/usr.sbin/ctm/ctm_rmail ctm_rmail.c 
Message-ID:  <200202051334.g15DY3c18696@dungeon.home>
In-Reply-To: <20020204190431.A36742@xor.obsecurity.org> from Kris Kennaway at "Mon, 04 Feb 2002 19:04:31 -0800"
References:  <200201222254.g0MMsqg19740@freefall.freebsd.org> <200202041157.g14BvhC06852@dungeon.home> <20020204190431.A36742@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Monday, 4th February 2002, Kris Kennaway wrote:

>On Mon, Feb 04, 2002 at 09:57:43PM +1000, Stephen McKay wrote:
>> This is pretty silly.  The right way to fix this is to revert back to
>> using mktemp().  Probably revert the whole 1.14 delta.  I'll put this
>> on my TODO list.
>
>As I recall, the former use of mktemp() was insecure, which was the
>reason it was changed to use the secure mkstemp().  It should not be
>regressed.

Have a closer look.  It's misplaced paranoia.  Which other program
attempts to guard against malicious file name manipulation in directories
that are *not* world writable?  All mkstemp() does in this case is leave
the files with the wrong permissions.  So it's still on my TODO list.

By the way, I intend to examine the ctm suite to see what will happen
when sequence numbers overflow 4 digits (which should be about a year
from now, I think).  Probably a few bugs there.

Oh, and I'm happy to field ctm related bugs (since I still use it),
except for those to do with actually generating deltas (I don't have
any control over CTM delta generation).  I just never get around to
searching the bugs list for things I should care about.

Stephen.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202051334.g15DY3c18696>