From owner-freebsd-ports  Tue Jun  6 12:40: 6 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 6C52737BA6F
	for <freebsd-ports@FreeBSD.org>; Tue,  6 Jun 2000 12:40:04 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id MAA42560;
	Tue, 6 Jun 2000 12:40:03 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Date: Tue, 6 Jun 2000 12:40:03 -0700 (PDT)
Message-Id: <200006061940.MAA42560@freefall.freebsd.org>
To: freebsd-ports@FreeBSD.org
Cc: 
From: mi@privatelabs.com
Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m
  ktemp()
Reply-To: mi@privatelabs.com
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The following reply was made to PR ports/19047; it has been noted by GNATS.

From: mi@privatelabs.com
To: Ade Lovett <ade@lovett.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m
  ktemp()
Date: Tue, 6 Jun 2000 15:33:39 -0400 (EDT)

 On  6 Jun, Ade Lovett wrote:
 = On Tue, Jun 06, 2000 at 01:52:48PM -0400, mi@privatelabs.com wrote:
 = > On FreeBSD  (and OpenBSD and  NetBSD) this is  NOT TRUE, and  we all
 = > know it.
 = 
 = Irrelevant. You're assuming that the  code reflects the reality in the
 = manual page. There is an explicit  reference to using mkstemp() in the
 = tmpfile() manual page.
 
 So, you  suggest I trust one  part of the  man page, but not  the other?
 mkstemp can also be implemented poorly for that matter.
  
 = > My patch removes  a potential security issue in the  BSD port of the
 = > arpwatch software. Please proof otherwise.
 =
 = Your patch  replaces a known  security issue with a  possible security
 = issue, whereas it could be  trivially rewritten to remove the security
 = issue.
 
 It could be. But the way I wrote it, it is perfectly fine for all of the
 OSes involved. I'm afraid, you only  jumped to this discussion to "teach
 me" to use fdopen (you are welcome to classify this "attack" any way you
 want).  You do  not seem  to care  about the  security/tripwire patch  I
 submitted recently,  for example -- in  your not too humble  opionion it
 suffers the same flaws.
 
 = > tmpfile() is  just as well defined  and, on FreeBSD, secure.  I also
 = > happened to like it better then mkstemp().
 = >
 = > It is sad,  that you let your  emotions blind you. If  there will be
 = > someone to  knock some sense  into you, by, for  example, overriding
 = > the authority you remind "us'all" about, I'll certainly applaud that
 = > person.
 =
 = Ad hominem attacks are rarely useful.  Yours has been noted for future
 = reference.
 
 Yeah, yeah... I'm  sorry, but this will probably be  my last response on
 this subject.
 
 	-mi
 
 
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message