[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bison (Re: Owl packages with dangerous "tmp" functions)
From: |
Solar Designer |
Subject: |
bison (Re: Owl packages with dangerous "tmp" functions) |
Date: |
Thu, 4 Jan 2001 12:36:02 +0300 |
User-agent: |
Mutt/1.2.5i |
Hi,
Quoting my own post to vendor-sec,
> + bison
> A plus means that I've already commited a patch for Owl and done some
> testing on it. I'll be posting the patches here as appropriate.
> Greg said that they didn't look into bison "due to time and manpower
> constraints"; well, so I decided to take it and will post the patch.
I am now attaching the patch against bison-1.28. The configure
script in bison already has a check for mkstemp(3), which I'm using
in the patch, so it should be sufficient to add #ifdef HAVE_MKSTEMP
as appropriate to make this patch portable. Of course, it would be
better to also include a safe version of the code for systems which
don't have mkstemp. (Perhaps, tryopen() could be changed to support
"x" for O_EXCL/fdopen such that this will allow for no worse a DoS.)
--
/sd
bison-1.28-owl-tmp.diff
Description: Text document