Your message dated Fri, 31 Aug 2012 15:47:21 +0200 (CEST)
with message-id 
<1754539471.49162758.1346420841138.javamail.r...@zimbra13-e2.priv.proxad.net>
and subject line tcl: No tempfile/mktemp/mkstemp implementation in toolkit 
language
has caused the Debian Bug report #291389,
regarding tcl: No tempfile/mktemp/mkstemp implementation in toolkit language
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
291389: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291389
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tcl8.4
Version: 8.4.9-1
Priority: wishlist
Tags: security upstream

As part of a security audit review done by the Debian Security Audit Team 
[1] I've found a number of bugs related to insecure usage of temorary 
files. Things like:

        set tmpf /tmp/something[pid]
        catch {eval exec someprogram > $tmpf} 

or
        set filename "/tmp/something_[pid]"
        file delete $filename
        set fid [open $filename w]

are quite common, as well as insecure. Shell or Perl programmers who do
this can be hitten by a cluebat because they don't use the standard
tempfile creation mechanisms, that is: mktemp|||tempfile and File::Temp. 
That is not the case for tcl programmers since the tcl language lacks a
tempfile() or mktemp() implementation. 

I'm going to start reporting these bugs and provide patches for them, but 
patches are rather intrusive because of this lack of standarisation on how 
tempfiles (and directories) should be created when programming in Tcl/Tk.

It would be great if Debian developers could help Tcl upstream developers 
in providing a proper implementation for this, thus closing TIP #210 
(http://www.tcl.tk/cgi-bin/tct/tip/210.html). For the time being I will be 
using the recommendations defined in Tcl's wiki (http://wiki.tcl.tk/772) 
even if that means having to write big (an intrusive) patches to fix simple 
scripts :(

Regards

Javier

[1] http://www.debian.org/security/audit

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message ---
tags 291389 + wontfix
stop

The implementation of this functionality has been accepted by the Tcl Core Team 
in 2008 and will only present from version 8.6.0 of Tcl. (See 
http://www.tcl.tk/cgi-bin/tct/tip/history/210 and 
http://core.tcl.tk/tcl/finfo?name=compat/mkstemp.c)

-- 
Stéphane Aulery

--- End Message ---

Reply via email to