Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
- To: debian-devel@lists.debian.org
- Subject: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
- From: Javier Fernández-Sanguino Peña <jfs@debian.org>
- Date: Mon, 8 Sep 2008 02:43:00 +0200
- Message-id: <[🔎] 20080908004300.GC19540@javifsp.no-ip.org>
- Mail-followup-to: debian-devel@lists.debian.org
- In-reply-to: <20080812225212.GA4737@a.mx.sbih.org>
- References: <E1KSRLo-0005hY-Fe@apache.rbscorp.ru> <pan.2008.08.11.17.31.50@robots.org.uk> <20080812063807.GG28198@work.uvw.ru> <20080812141908.GB18972@crustytoothpaste.ath.cx> <20080812143017.GB4657@work.uvw.ru> <48A19DD8.5030005@gmail.com> <20080812144620.GE4657@work.uvw.ru> <20080812225212.GA4737@a.mx.sbih.org>
On Tue, Aug 12, 2008 at 03:52:14PM -0700, John H. Robinson, IV wrote:
> As mktemp and tempfile are both essential[2], they can be relied upon.
Essential in Debian, not in other systems.
> Is there any scenario where using mktemp or tempfile fails, and sing
> $TMPDIR succeeds?
Scripts that are written with portability to other OSes in mind (or have been
originally written for these OSes and are now used in Linux). Some might even
try to use mktemp/tempfile and fallback to $TMPDIR (or just plain /tmp) if
unavailable. These scripts show up as false positives when looking for tmp
race conditions using simple tools (such as 'grep' :)
Regards
Javier
Attachment:
signature.asc
Description: Digital signature
Reply to: