Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
On Sat, Jan 04, 2003 at 10:20:09PM +0000, Julian Gilbey wrote:
> The woody version uses a shell script with the tempfile command. The
> code is essentially:
>
> tmp=`tempfile ...`
> zcat ... > $tmp
>
> I don't know whether tempfile is careful to check for the safety of
> the directory more thoroughly than perl's File::Temp or not; if this
> is not safe, then we have some serious problems pretty much everywhere
> where tempfile is likely to be used.
tempfile is safe, because it creates the file in a secure manner before
returning the filename.
--
- mdz
Reply to: