Date: Tue, 6 Jun 2000 10:30:02 -0700 (PDT) From: Ade Lovett <ade@lovett.com> To: freebsd-ports@FreeBSD.org Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m ktemp() Message-ID: <200006061730.KAA24399@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/19047; it has been noted by GNATS. From: Ade Lovett <ade@lovett.com> To: mi@privatelabs.com Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m ktemp() Date: Tue, 6 Jun 2000 12:22:21 -0500 On Tue, Jun 06, 2000 at 01:09:35PM -0400, mi@privatelabs.com wrote: > Yes, thanks for pointing out the obvious. I believe, it is also obvious > that ``fp = tmpfile()'' is MUCH shorter and cleaner You forgot ".. and potentially susceptible to a number of security issues which may capable of causing the program, and possibly the system, to be compromised." We're trying to get rid of security issues in ports, not add them in. > The fact that I happen to disagree with the man-page does not mean that > I did not read it. I did. FreeBSD does not need to care: Irrelevant. There is a well-defined, secure, interface for creating temporary files. It's called mkstemp(). Use it. The patch as it stands should absolutely not go into the tree, unless y'all just want the port marked FORBIDDEN= "bungled security patch" -aDe -- Ade Lovett, Austin, TX. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006061730.KAA24399>