Package: tcl8.4 Version: 8.4.9-1 Priority: wishlist Tags: security upstream
As part of a security audit review done by the Debian Security Audit Team [1] I've found a number of bugs related to insecure usage of temorary files. Things like: set tmpf /tmp/something[pid] catch {eval exec someprogram > $tmpf} or set filename "/tmp/something_[pid]" file delete $filename set fid [open $filename w] are quite common, as well as insecure. Shell or Perl programmers who do this can be hitten by a cluebat because they don't use the standard tempfile creation mechanisms, that is: mktemp|||tempfile and File::Temp. That is not the case for tcl programmers since the tcl language lacks a tempfile() or mktemp() implementation. I'm going to start reporting these bugs and provide patches for them, but patches are rather intrusive because of this lack of standarisation on how tempfiles (and directories) should be created when programming in Tcl/Tk. It would be great if Debian developers could help Tcl upstream developers in providing a proper implementation for this, thus closing TIP #210 (http://www.tcl.tk/cgi-bin/tct/tip/210.html). For the time being I will be using the recommendations defined in Tcl's wiki (http://wiki.tcl.tk/772) even if that means having to write big (an intrusive) patches to fix simple scripts :( Regards Javier [1] http://www.debian.org/security/audit
signature.asc
Description: Digital signature