Your message dated Tue, 04 May 2010 08:38:32 -0400
with message-id <[email protected]>
and subject line Re: mktemp: should refuse templates which it currently returns
literally
has caused the Debian Bug report #492270,
regarding mktemp: should refuse templates which it currently returns literally
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
492270: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492270
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mktemp
Version: 1.5-2
Severity: normal
mktemp can be given templates which expand to the same name at every
use. It seems that it will only enter random characters into the "X"
letters from the template if they are at the end, so this can easily
happen by mistake. This leads to an unexpected denial of service
vulnerability, triggered if a file with that name already exists.
Such a mistake in a script can (and did until recently) go unnoticed if,
e.g., an erroneously appended ".tmp" suffix leads to a valid, although
not randomly named temporary file. This was only noticed when such a
file was lingering around from a failed run and the new instance's error
message suspiciously still contained all the "X" letters from the
template.
Consider this example:
$ mktemp foo.XXXXXX
foo.S26762
$ mktemp foo.XXXXXX
foo.i28529
$ mktemp foo.XXXXXX.tmp
foo.XXXXXX.tmp
$ mktemp foo.XXXXXX.tmp
mktemp: cannot create temp file foo.XXXXXX.tmp: File exists
The first two mktemp invocation result in two randomly and differently
named temporary files, as expected. The third invocation creates a file
with a predictable name, and the fourth fails as this file already
exists.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages mktemp depends on:
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
mktemp recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
mktemp foo.XXXXXX.tmp will now return replace XXXXXX with a random
string.
--- End Message ---
