Re: [oss-security] CVE id request: mktemp

To: Thijs Kinkhorst <thijs@debian.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: [oss-security] CVE id request: mktemp
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 19 Aug 2008 13:06:32 +0200
Message-id: <[🔎] 87vdxxi7rb.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 200808191217.47041.thijs@debian.org> (Thijs Kinkhorst's message of "Tue, 19 Aug 2008 12:17:44 +0200")
References: <20080815115550.GD31878@ngolde.de> <Pine.GSO.4.51.0808181541070.19112@faron.mitre.org> <20080818202618.GH27231@ngolde.de> <[🔎] 200808191217.47041.thijs@debian.org>

* Thijs Kinkhorst:

> On Monday 18 August 2008 22:26, Nico Golde wrote:
>> Hi Steven,
>>
>> * Steven M. Christey <coley@linus.mitre.org> [2008-08-18 22:09]:
>> > On Mon, 18 Aug 2008, Nico Golde wrote:
>> > > This is known but as I wrote in the bug report:
>> > > "the file is safely created with O_EXCL and 0600, still
>> > > unsafe if used with -u"
>> >
>> > Given that -u is "unsafe mode" with a disclaimer against race conditions
>> > (at least based on the manpage I looked at), I'm of the mindset that
>> > you'd flag an application for using mktemp -u, but not mktemp itself.
>>
>> Ok fine, makes sense to me.
>
> Should we remove the mktemp "temp issue" from the tracker or rather mark it as 
> no-dsa or unimportant?

Remove it, in my opinion.

Reply to:

References:
- Re: [oss-security] CVE id request: mktemp
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Re: [oss-security] CVE id request: mktemp
Next by Date: Re: [oss-security] CVE id request: mktemp
Previous by thread: Re: [oss-security] CVE id request: mktemp
Next by thread: patch for Makefile for security-tracker
Index(es):
- Date
- Thread