Re: [oss-security] CVE id request: mktemp

To: debian-security-tracker@lists.debian.org
Subject: Re: [oss-security] CVE id request: mktemp
From: Thijs Kinkhorst <thijs@debian.org>
Date: Tue, 19 Aug 2008 12:17:44 +0200
Message-id: <[🔎] 200808191217.47041.thijs@debian.org>
In-reply-to: <20080818202618.GH27231@ngolde.de>
References: <20080815115550.GD31878@ngolde.de> <Pine.GSO.4.51.0808181541070.19112@faron.mitre.org> <20080818202618.GH27231@ngolde.de>

On Monday 18 August 2008 22:26, Nico Golde wrote:
> Hi Steven,
>
> * Steven M. Christey <coley@linus.mitre.org> [2008-08-18 22:09]:
> > On Mon, 18 Aug 2008, Nico Golde wrote:
> > > This is known but as I wrote in the bug report:
> > > "the file is safely created with O_EXCL and 0600, still
> > > unsafe if used with -u"
> >
> > Given that -u is "unsafe mode" with a disclaimer against race conditions
> > (at least based on the manpage I looked at), I'm of the mindset that
> > you'd flag an application for using mktemp -u, but not mktemp itself.
>
> Ok fine, makes sense to me.

Should we remove the mktemp "temp issue" from the tracker or rather mark it as 
no-dsa or unimportant?


Thijs

Attachment: pgp4QJD_Zmj11.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [oss-security] CVE id request: mktemp
  - From: Nico Golde <nico@ngolde.de>
- Re: [oss-security] CVE id request: mktemp
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: DSA-1615-1 vs. tracker
Next by Date: Re: [oss-security] CVE id request: mktemp
Previous by thread: Re: DSA-1615-1 vs. tracker
Next by thread: Re: [oss-security] CVE id request: mktemp
Index(es):
- Date
- Thread