Re: [Pkg-grass-general] r.terraflow ?
> > > Isn't r.terraflow modul added to grass6 (installed as debian
> > > package).
> >
> > No. There is an outstanding security issue that precludes it from
> > being part of the Debian package. (insecure temp files)
> >
> > See /usr/share/doc/grass/changelog.Debian.gz
>
> What's keeping us from patching r.terraflow then? I'm guessing it's
> probably swapping one libc function for another, no?
Not very much, just needs to be changed to use a directory created with
G_tempfile() or tmpfile() instead of /var/tmp/ by default for the
STREAM_DIR= option.
G_tempfile() creates a temporary file in the users' mapset repository,
e.g. $MAPSET/.tmp/$HOSTNAME/12345.0
Just need to remove that file, mkdir something of the same name &
cleanup when done?
G_tempfile() is found in the grass source in lib/gis/tempfile.c
Alternatively & maybe better use tmpfile(). G_tempfile() & usage
rules may be in flux in the near future, please read this thread:
http://thread.gmane.org/gmane.comp.gis.grass.devel/8065
I had fixed this for other modules to take care of Debian bug #287651,
but didn't touch r.terraflow for two reasons. a) it's optional; b)
the original author is still around. To date no fix from (b) though.
further reading:
http://www.linuxsecurity.com/content/view/115462/151/#mozTocId316364
Hamish
Reply to: