[Pkg-grass-general] [jfs@computer.org: Bug#291389: tcl: No tempfile/mktemp/mkstemp implementation in toolkit language]

To: DebianGis General <pkg-grass-general@lists.alioth.debian.org>
Subject: [Pkg-grass-general] [jfs@computer.org: Bug#291389: tcl: No tempfile/mktemp/mkstemp implementation in toolkit language]
From: "Francesco P. Lovergine" <frankie@debian.org>
Date: Thu, 20 Jan 2005 15:52:55 +0100
Message-id: <[🔎] 20050120145255.GB10271@ba.issia.cnr.it>
Mail-followup-to: DebianGis General <pkg-grass-general@lists.alioth.debian.org>

This is of interest for GRASS developers probably and maybe general
information... Please, forward to lists of interests.


----- Forwarded message from Javier Fernández-Sanguino Peña <jfs@computer.org> -----

Subject: Bug#291389: tcl: No tempfile/mktemp/mkstemp implementation in toolkit language
Reply-To: Javier Fernández-Sanguino Peña <jfs@computer.org>,
	291389@bugs.debian.org
Resent-From: Javier Fernández-Sanguino Peña
    <jfs@computer.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Chris Waters <xtifr@debian.org>
Resent-Date: Thu, 20 Jan 2005 14:33:02 UTC
Resent-Message-Id: <handler.291389.B.11062307282502@bugs.debian.org>
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@bugs.debian.org>

Package: tcl8.4
Version: 8.4.9-1
Priority: wishlist
Tags: security upstream

As part of a security audit review done by the Debian Security Audit Team 
[1] I've found a number of bugs related to insecure usage of temorary 
files. Things like:

        set tmpf /tmp/something[pid]
        catch {eval exec someprogram > $tmpf} 

or
        set filename "/tmp/something_[pid]"
        file delete $filename
        set fid [open $filename w]

are quite common, as well as insecure. Shell or Perl programmers who do
this can be hitten by a cluebat because they don't use the standard
tempfile creation mechanisms, that is: mktemp|||tempfile and File::Temp. 
That is not the case for tcl programmers since the tcl language lacks a
tempfile() or mktemp() implementation. 

I'm going to start reporting these bugs and provide patches for them, but 
patches are rather intrusive because of this lack of standarisation on how 
tempfiles (and directories) should be created when programming in Tcl/Tk.

It would be great if Debian developers could help Tcl upstream developers 
in providing a proper implementation for this, thus closing TIP #210 
(http://www.tcl.tk/cgi-bin/tct/tip/210.html). For the time being I will be 
using the recommendations defined in Tcl's wiki (http://wiki.tcl.tk/772) 
even if that means having to write big (an intrusive) patches to fix simple 
scripts :(

Regards

Javier

[1] http://www.debian.org/security/audit



----- End forwarded message -----

-- 
Francesco P. Lovergine

Reply to:

Prev by Date: Re: [Pkg-grass-general] testing debiangis
Next by Date: Re: [GRASS5] Re: [Pkg-grass-general] testing debiangis
Previous by thread: [Pkg-grass-general] more testing
Next by thread: [Pkg-grass-general] GRASS library version names
Index(es):
- Date
- Thread