[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-grass-general] r.terraflow ?



> > > Isn't r.terraflow modul added to grass6 (installed as debian
> > > package).
> > 
> > No. There is an outstanding security issue that precludes it from
> > being part of the Debian package. (insecure temp files)
> > 
> > See /usr/share/doc/grass/changelog.Debian.gz
> 
> What's keeping us from patching r.terraflow then? I'm guessing it's
> probably swapping one libc function for another, no?


Not very much, just needs to be changed to use a directory created with
G_tempfile() or tmpfile() instead of /var/tmp/ by default for the
STREAM_DIR= option.

G_tempfile() creates a temporary file in the users' mapset repository,
e.g. $MAPSET/.tmp/$HOSTNAME/12345.0

Just need to remove that file, mkdir something of the same name & 
cleanup when done?

G_tempfile() is found in the grass source in lib/gis/tempfile.c

Alternatively & maybe better use tmpfile(). G_tempfile() & usage 
rules may be in flux in the near future, please read this thread:
  http://thread.gmane.org/gmane.comp.gis.grass.devel/8065


I had fixed this for other modules to take care of Debian bug #287651,
but didn't touch r.terraflow for two reasons. a) it's optional; b)
the original author is still around. To date no fix from (b) though.


further reading:
  http://www.linuxsecurity.com/content/view/115462/151/#mozTocId316364



Hamish



Reply to: