Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 7 Jun 2000 11:48:32 -0700 (PDT)
From:      Kris Kennaway <kris@FreeBSD.org>
To:        mi@privatelabs.com
Cc:        sobomax@FreeBSD.org, freebsd-ports@FreeBSD.org
Subject:   Re: Call for arbitrage [Fwd: Re: ports/19047: net/arpwatch patched to use  tmpfile() instead of mktemp()]
Message-ID:  <Pine.BSF.4.21.0006071141160.15405-100000@freefall.freebsd.org>
In-Reply-To: <200006071555.LAA92187@misha.privatelabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 7 Jun 2000 mi@privatelabs.com wrote:

> = int fd;
> = FILE *fp;
> = 
> = if ((fd = mkstemp(foo)) == -1) {
> = 	err(1, "mkstemp");
> = } else {
> = 	unlink(fd);
> = }
> = if ((fp = fdopen(fd, "w+")) == NULL)
> = 	err(1, "fdopen");
> = 
> = ...
> 
> Thank  you, Kriss,  for agreeing  to  moderate, but  your suggestion  in
> itself is not applicable:
> 

>   	     int unlink(const char *pathname);

unlink(foo);

> = This  method  is   portable  across  platforms,  and   can  safely  be
> = reintegrated by the software author.
> 
> The use of tmpfile is no less portable then the use of err :-). At least
> tmpfile _exists_  on other systems,  even if it  is not really  a secure
> solution  on some  of  them  (which ones?  is  arpwatch  even ported  to
> others?)

So don't use err() - it's hardly the critical part of the sample code I
posted.

The danger is that tmpfile exists, *but has different, insecure
semantics*, on other platforms, and so the code may compile but be even
more insecure than now. That's unacceptable.

> However, I'm glad I  was able to spot the ld's warning  about the use of
> mktemp and will now rest. The submitted patch works and is secure on all
> of the  BSDs -- the  users of the  ports tree. The  arpwatch maintainers
> will create their own anyway, I suspect.

As ports security officer, I'm requesting that you either rewrite the
patch to solve the problem correctly, or let the PR be closed.

This is not about what's easiest to code or what suits your "ego", it's
about what is secure on all platforms. I don't want to see patches using
tmpfile() going into ports.

Thanks,

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0006071141160.15405-100000>