[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [oss-security] CVE id request: mktemp



* Thijs Kinkhorst:

> On Monday 18 August 2008 22:26, Nico Golde wrote:
>> Hi Steven,
>>
>> * Steven M. Christey <coley@linus.mitre.org> [2008-08-18 22:09]:
>> > On Mon, 18 Aug 2008, Nico Golde wrote:
>> > > This is known but as I wrote in the bug report:
>> > > "the file is safely created with O_EXCL and 0600, still
>> > > unsafe if used with -u"
>> >
>> > Given that -u is "unsafe mode" with a disclaimer against race conditions
>> > (at least based on the manpage I looked at), I'm of the mindset that
>> > you'd flag an application for using mktemp -u, but not mktemp itself.
>>
>> Ok fine, makes sense to me.
>
> Should we remove the mktemp "temp issue" from the tracker or rather mark it as 
> no-dsa or unimportant?

Remove it, in my opinion.


Reply to: