Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

To: debian-devel@lists.debian.org
Subject: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
From: Javier Fernández-Sanguino Peña <jfs@debian.org>
Date: Mon, 8 Sep 2008 02:43:00 +0200
Message-id: <[🔎] 20080908004300.GC19540@javifsp.no-ip.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <20080812225212.GA4737@a.mx.sbih.org>
References: <E1KSRLo-0005hY-Fe@apache.rbscorp.ru> <pan.2008.08.11.17.31.50@robots.org.uk> <20080812063807.GG28198@work.uvw.ru> <20080812141908.GB18972@crustytoothpaste.ath.cx> <20080812143017.GB4657@work.uvw.ru> <48A19DD8.5030005@gmail.com> <20080812144620.GE4657@work.uvw.ru> <20080812225212.GA4737@a.mx.sbih.org>

On Tue, Aug 12, 2008 at 03:52:14PM -0700, John H. Robinson, IV wrote:
> As mktemp and tempfile are both essential[2], they can be relied upon.

Essential in Debian, not in other systems.

> Is there any scenario where using mktemp or tempfile fails, and sing
> $TMPDIR succeeds?

Scripts that are written with portability to other OSes in mind (or have been
originally written for these OSes and are now used in Linux). Some might even
try to use mktemp/tempfile and fallback to $TMPDIR (or just plain /tmp) if
unavailable. These scripts show up as false positives when looking for tmp
race conditions using simple tools  (such as 'grep' :)

Regards

Javier

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: What should be on a rescue CD ? (was Re: Debian Live Lenny Beta1)
Next by Date: Re: Lenny upgrade-advisor
Previous by thread: Re: What should be on a rescue CD ? (was Re: Debian Live Lenny Beta1)
Next by thread: Bug#62878: marked as done (Screen display problems with terminals)
Index(es):
- Date
- Thread