Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)

[Matt Zimmerman <mdz@debian.org>]

On Sat, Jan 04, 2003 at 10:20:09PM +0000, Julian Gilbey wrote:

> The woody version uses a shell script with the tempfile command.  The
> code is essentially:
> 
>   tmp=`tempfile ...`
>   zcat ... > $tmp
> 
> I don't know whether tempfile is careful to check for the safety of
> the directory more thoroughly than perl's File::Temp or not; if this
> is not safe, then we have some serious problems pretty much everywhere
> where tempfile is likely to be used.

tempfile is safe, because it creates the file in a secure manner before
returning the filename.

-- 
 - mdz