oss-sec mailing list archives

Re: CVE id request: mktemp

From: Nico Golde <oss-security+ml () ngolde de>
Date: Mon, 18 Aug 2008 22:26:18 +0200

Hi Steven,
* Steven M. Christey <coley () linus mitre org> [2008-08-18 22:09]:

On Mon, 18 Aug 2008, Nico Golde wrote:

This is known but as I wrote in the bug report:
"the file is safely created with O_EXCL and 0600, still
unsafe if used with -u"


Given that -u is "unsafe mode" with a disclaimer against race conditions
(at least based on the manpage I looked at), I'm of the mindset that you'd
flag an application for using mktemp -u, but not mktemp itself.


Ok fine, makes sense to me.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description:

Current thread:

CVE id request: mktemp Nico Golde (Aug 15)
- Re: CVE id request: mktemp Todd C. Miller (Aug 15)
- Re: CVE id request: mktemp Sebastian Krahmer (Aug 18)
  - Re: CVE id request: mktemp Nico Golde (Aug 18)
    - Re: CVE id request: mktemp Todd C. Miller (Aug 18)
    - Re: CVE id request: mktemp Steven M. Christey (Aug 18)
    - Re: CVE id request: mktemp Nico Golde (Aug 18)
  - Re: CVE id request: mktemp Todd C. Miller (Aug 18)
    - Re: CVE id request: mktemp Nico Golde (Aug 18)