From owner-freebsd-ports Tue Jun 6 10:30: 8 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 4968337BA6D for ; Tue, 6 Jun 2000 10:30:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id KAA24399; Tue, 6 Jun 2000 10:30:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Tue, 6 Jun 2000 10:30:02 -0700 (PDT) Message-Id: <200006061730.KAA24399@freefall.freebsd.org> To: freebsd-ports@FreeBSD.org Cc: From: Ade Lovett Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m ktemp() Reply-To: Ade Lovett Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR ports/19047; it has been noted by GNATS. From: Ade Lovett To: mi@privatelabs.com Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m ktemp() Date: Tue, 6 Jun 2000 12:22:21 -0500 On Tue, Jun 06, 2000 at 01:09:35PM -0400, mi@privatelabs.com wrote: > Yes, thanks for pointing out the obvious. I believe, it is also obvious > that ``fp = tmpfile()'' is MUCH shorter and cleaner You forgot ".. and potentially susceptible to a number of security issues which may capable of causing the program, and possibly the system, to be compromised." We're trying to get rid of security issues in ports, not add them in. > The fact that I happen to disagree with the man-page does not mean that > I did not read it. I did. FreeBSD does not need to care: Irrelevant. There is a well-defined, secure, interface for creating temporary files. It's called mkstemp(). Use it. The patch as it stands should absolutely not go into the tree, unless y'all just want the port marked FORBIDDEN= "bungled security patch" -aDe -- Ade Lovett, Austin, TX. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message