The Austin group has recommended that for the next version of POSIX, m4's maketemp macro be deprecated as insecure (POSIX specifies it to replace trailing X's with the pid without regards to file existence, which makes it easy for an attacker to provide a substitute file), and add a new macro mkstemp that matches the current M4 1.4.x maketemp semantics [1] (based on mkstemp(3) semantics). As a result, I will be patching CVS m4 to emit a warning on use of maketemp, and that will cause autom4te to fail if anyone is using m4sugar's current m4_maketemp. So I propose this patch, which adds m4_mkstemp, and makes m4_maketemp and m4_mkstemp synonyms (both pointing to the non-warning variant provided by the underlying M4). OK to apply?
[1] See the thread at http://www.opengroup.org/austin/mailarchives/ag/msg09834.html; if you are an Austin group member (free registration), you can also login to read the referenced proposed interpretation 117. 2006-10-19 Eric Blake <[EMAIL PROTECTED]> * lib/m4sugar/m4sugar.m4 (m4_maketemp): Avoid warnings generated by M4 1.9a. * lib/emacs/autoconf-mode.el (autoconf-font-lock-keywords): Color m4_mkstemp. * doc/autoconf.texi (Redefined M4 Macros): Document m4_mkstemp. Index: lib/m4sugar/m4sugar.m4 =================================================================== RCS file: /sources/autoconf/autoconf/lib/m4sugar/m4sugar.m4,v retrieving revision 2.99 diff -u -r2.99 m4sugar.m4 --- lib/m4sugar/m4sugar.m4 20 Jun 2006 05:35:38 -0000 2.99 +++ lib/m4sugar/m4sugar.m4 19 Oct 2006 16:46:56 -0000 @@ -140,7 +140,11 @@ m4_rename_m4([len]) m4_rename([m4exit], [m4_exit]) m4_rename([m4wrap], [m4_wrap]) -m4_rename_m4([maketemp]) +m4_ifdef([mkstemp], + [m4_rename_m4([mkstemp]) + m4_copy([m4_mkstemp], [m4_maketemp])], + [m4_rename_m4([maketemp]) + m4_copy([m4_maketemp], [m4_mkstemp])]) m4_rename([patsubst], [m4_bpatsubst]) m4_undefine([popdef]) m4_rename_m4([pushdef]) Index: doc/autoconf.texi =================================================================== RCS file: /sources/autoconf/autoconf/doc/autoconf.texi,v retrieving revision 1.1096 diff -u -r1.1096 autoconf.texi --- doc/autoconf.texi 17 Oct 2006 02:31:44 -0000 1.1096 +++ doc/autoconf.texi 19 Oct 2006 16:56:58 -0000 @@ -9752,7 +9752,6 @@ @msindex{index} @msindex{indir} @msindex{len} [EMAIL PROTECTED] @msindex{pushdef} @msindex{shift} @msindex{substr} @@ -9856,6 +9855,20 @@ to recover the behavior of the builtin. @end defmac [EMAIL PROTECTED] m4_maketemp (@var{template}) [EMAIL PROTECTED] m4_mkstemp (@var{template}) [EMAIL PROTECTED] [EMAIL PROTECTED] +Posix requires @code{maketemp} to replace the trailing @samp{X} +characters in @var{template} with the process id, without regards to the +existence of a file by that name, but this a security hole. When this +was pointed out to the Posix folks, they agreed to invent a new macro [EMAIL PROTECTED] that always creates a uniquely named file, but not all +versions of @acronym{GNU} M4 support the new macro. In M4sugar, [EMAIL PROTECTED] and @code{m4_mkstemp} are synonyms for each other, +and both have the secure semantics regardless of which macro the +underlying M4 provides. [EMAIL PROTECTED] defmac @node Looping constructs @@ -19135,4 +19148,6 @@ @c Local Variables: @c fill-column: 72 @c ispell-local-dictionary: "american" [EMAIL PROTECTED] indent-tabs-mode: nil [EMAIL PROTECTED] whitespace-check-buffer-indent: nil @c End: Index: lib/emacs/autoconf-mode.el =================================================================== RCS file: /sources/autoconf/autoconf/lib/emacs/autoconf-mode.el,v retrieving revision 1.4 diff -u -r1.4 autoconf-mode.el --- lib/emacs/autoconf-mode.el 14 May 2005 07:00:40 -0000 1.4 +++ lib/emacs/autoconf-mode.el 19 Oct 2006 17:09:59 -0000 @@ -6,7 +6,7 @@ ;; This file is part of Autoconf -;; Copyright 2001 Free Software Foundation, Inc. +;; Copyright 2001, 2006 Free Software Foundation, Inc. ;; ;; This program is free software; you can redistribute it and/or modify ;; it under the terms of the GNU General Public License as published by @@ -40,7 +40,7 @@ (defvar autoconf-font-lock-keywords `(("\\bdnl \\(.*\\)" 1 font-lock-comment-face t) ("[EMAIL PROTECTED]" . font-lock-variable-name-face) - ("\\b\\(m4_\\)?\\(builtin\\|change\\(com\\|quote\\|word\\) \\|d\\(e\\(bug\\(file\\|mode\\)\\|cr\\|f\\(ine\\|n\\)\\)\\|iv\\(ert\\|num\\) \\|nl\\|umpdef\\)\\|e\\(rrprint\\|syscmd\\|val\\)\\|f\\(ile\\|ormat\\) \\|gnu\\|i\\(f\\(def\\|else\\)\\|n\\(c\\(lude\\|r\\)\\|d\\(ex\\|ir\\)\\)\\) \\|l\\(en\\|ine\\)\\|m\\(4\\(exit\\|wrap\\)\\|aketemp\\) \\|p\\(atsubst\\|opdef\\|ushdef\\) \\|regexp\\|s\\(hift\\|include\\|ubstr\\|ys\\(cmd\\|val\\)\\) \\|tra\\(ceo\\(ff\\|n\\)\\|nslit\\)\\|un\\(d\\(efine\\|ivert\\)\\|ix\\)\\) \\b" . font-lock-keyword-face) + ("\\b\\(m4_\\)?\\(builtin\\|change\\(com\\|quote\\|word\\) \\|d\\(e\\(bug\\(file\\|mode\\)\\|cr\\|f\\(ine\\|n\\)\\)\\|iv\\(ert\\|num\\) \\|nl\\|umpdef\\)\\|e\\(rrprint\\|syscmd\\|val\\)\\|f\\(ile\\|ormat\\) \\|gnu\\|i\\(f\\(def\\|else\\)\\|n\\(c\\(lude\\|r\\)\\|d\\(ex\\|ir\\)\\)\\) \\|l\\(en\\|ine\\)\\|m\\(4\\(exit\\|wrap\\)\\|aketemp\\|kstemp\\) \\|p\\(atsubst\\|opdef\\|ushdef\\) \\|regexp\\|s\\(hift\\|include\\|ubstr\\|ys\\(cmd\\|val\\)\\) \\|tra\\(ceo\\(ff\\|n\\)\\|nslit\\)\\|un\\(d\\(efine\\|ivert\\)\\|ix\\)\\) \\b" . font-lock-keyword-face) ("^\\(\\(m4_\\)?define\\|A._DEFUN\\|m4_defun\\)(\\[?\\([A-Za-z0-9_]+\\)" 3 font-lock-function-name-face) "default font-lock-keywords") )